Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Understand malwares

CoolerVoid
September 27, 2021

Understand malwares

Small study about malwares.

CoolerVoid

September 27, 2021
Tweet

More Decks by CoolerVoid

Other Decks in Research

Transcript

  1. whoamy Just another Programmer four years experience Security Engineer Ten

    years experience Antonio Costa – github.com/CoolerVoid Twitter: @Cooler_freenode
  2. Malwares Malware is the name for a program designed to

    mistreat its users. Viruses typically are malicious, but sometimes software products and software preinstalled in products can also be malicious — and often are, im not even joking, it’s a sad fact. You can see that these softwares sometimes stand in the whitelist of signatures of some antivirus. Malware often contains hidden behavior which is only activated when properly triggered.
  3. Malware for Linux ? Fake pkg resources like fake deb,

    fake rpm, fake ko(kernel module)… Fake sudo Fake auth with QT/GTK/X11… keyloggers with X11 etc... Its not impossible ! github.com/GiacomoLaw/Keylogger - keylogger github.com/CoolerVoid/rootstealer - tool to manipulate X11 github.com/m0nad/Diamorphine - Rootkit for modern kernels github.com/mthbernardes/Derbie - Tool to generate malicious .deb pkgs
  4. Malware for mobile ? Google and Apple invest a lot

    in security research, but that's not enough! As we have shown time after time, malware is still able to bypass market security ! (google play, appstore) Every day security vulnerabilities are discovered in a constant basis, and if your device is not patched, you are vulnerable!
  5. Android Malware uses Android’s Accessibility Service to take over the

    phone, displaying a request prompt that would allow it to add itself to the device administrator list and become the default message manager. Once the takeover is complete, malware can send an SMS/whats app msg containing a specific text to any number, extract text messages and send them to the cracker, open links, change the address of the company center, steal data like phone call info. Other view, once the takeover is complete, malware can send msg to spread him self for your contacts… each malware have a different context!
  6. The X-files This is my compendium of strange underground codes

    to make a schoolar joke, forbidden recipes, fallen functions from the depths... only to Windows platforms. Keep out of malicious feelings, Only to study security purposes! https://github.com/CoolerVoid/X_files/
  7. Malware in Java... Everything uses libC, for example CoreUtils used

    by unix like systems like FreeBSD, Linux, Darwin(MacOS)... you can see commands like rm,ls,mv,mkdir... this programs uses libc, labels for syscalls in unistd.h etc...
  8. Hooking Operating systems and software may provide the means to

    easily insert event hooks at runtime. It is available provided that the process inserting the hook is granted enough permission to do so. Microsoft Windows for example, allows you to insert hooks that can be used to process or modify system events and application events for dialogs, scrollbars, and menus as well as other items. It also allows a hook to insert, remove, process or modify keyboard and mouse events. Linux provides another example where hooks can be used in a similar manner to process network events within the kernel through NetFilter( github.com/CoolerVoid/HiddenWall ).
  9. Trial bypass history Hook time functions… GetSystemTime() GetTimeFormat() SystemTimeToFileTime()… If

    have NTP external check, make Pharming in hosts... docs.microsoft.com/en-us/windows/win32/sysinfo/time-functions
  10. Port knocking Raw socket shell with AES256-GCM using Port Knocking

    technique github.com/CoolerVoid/ninja_shell Raw mode is basically there to allow you to bypass some of the way that your computer handles TCP/IP.
  11. Danger docs... Macros, VBA, Exploits... Turn a normal PDF file

    into malicious. github.com/3gstudent/Worse-PDF Turn Doc files in malicious. https://github.com/sevagas/macro_pack
  12. Other resources Replace QR-code Change render of bar code Steal

    Cookies form grabbing Steal DB of browser (Sqlite) Using browser to bypass firewall (headless) Uses bitlocker to encrypt data… (ransomware) Uses embedded lib to encrypt resources… Miner bot... Up fake driver (rootkit)...
  13. Protections To prolong the life of a malware, you can

    frequently see anti-VM and anti-debugging techniques being used to delay the analysis process performed by security experts. The good news for you is that you have a lot of ways to try and mitigate that, for example with ollydbg you can use OllyExt plugin to try bypassing anti- debugger resources, another way you can detect some behaviors while also following the hooking approach is, for example, when the debugger executes a malware, you can force by hooking the function IsDebuggerPresent() to make it always return zero( bypassing the debug detector).
  14. Bypass malware protections But in any case, you can also

    protect the machine. You can use the function IsDebuggerPresent() and, with hooking, force it to always return value 1. By following this approach the malware is never going to start the trigger since he’s either frozen or called an exit() function by now, some other contexts may happen as well. Malware often contains hidden behavior which is only activated when properly triggered. No trigger, the malware quits, simple.
  15. Install vmware additions or virtualbox resourses to mimic a VM

    in your desktop… Manual unpack and Migrate DLLs, binarys etc
  16. Trigger Anti-VM resources Inspired from the PowerShell script Fake Sandbox

    Processes (FSP), this script allows you to create various artifacts on a bare-metal Windows computer in an attempt to trick malwares that looks for VM or analysis tools. github.com/NavyTitanium/Fake-Sandbox-Artifacts
  17. Problems in sandbox artifacts Bank desktop applications uses anti debugger

    and AntiVM resources… this can close your bank desktop application… Games(steam client/ origens client) have anti-cheat engines, that engines close application when detect VM resources or Debugger resources...
  18. theZoo “theZoo is a project created to make the possibility

    of malware analysis open and available to the public. Since we have found out that almost all versions of malware are very hard to come by in a way which will allow analysis, we have decided to gather all of them for you in an accessible and safe way. theZoo was born by Yuval tisf Nativ and is now maintained by Shahak Shalev.”. https://github.com/ytisf/theZoo
  19. Veil “Veil is a tool designed to generate metasploit payloads

    that bypass common anti-virus solutions”. github.com/Veil-Framework/Veil
  20. al-khaser “Public malware techniques used in the wild: Virtual Machine,

    Emulation, Debuggers, Sandbox detection. ”. https://github.com/LordNoteworthy/al-khaser