Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Malware Evasion Technique

Malware Evasion Technique

Presentation about Malware Evasion techniques summary.


Thomas Roccia

March 10, 2017


  1. . McAfee – Thomas Roccia troccia.tdgt.org | Security Consultant Researcher

    ​Malware Evasion Techniques ​How to Defeat Malware Protection? @fr0gger_
  2. . McAfee – Thomas Roccia Whoami Thomas Roccia | @fr0gger_

    French Security Consultant Researcher Working at McAfee Foundstone Malware Fighting Incident Response Threat Intelligence Red Team Assessment Education 2
  3. . McAfee – Thomas Roccia Summary Introduction What is the

    goal of this presentation? The increasing malware threat History of malware protection Why malware use self-defense techniques? How does a Malware succeeds in infecting me? Overview of Malware protection Unprotect Project Conclusion Overview
  4. . McAfee – Thomas Roccia What is the goal of

    this presentation? Introduction Understand why Antivirus engine doesn’t detect new generation of malware? Understand why Sandbox tools are not sufficient in front this threat? Understand why a Malware Analyst can fall into the malware tricks? Introduce the malware protection techniques and how to defeat them. Introduce the Unprotect Project. 4
  5. . McAfee – Thomas Roccia The Increasing Malware Threat Introduction

    Today the malware threat is really increasing and lot of stolen data are sold in the underground markets. Malwares are new weapons used by a lot of actors: Governments Spies Hacktivist Mafia Even kids Remain undetected is vital for a malware. The challenge is huge for attackers and defenders. 5
  6. . McAfee – Thomas Roccia History of Malware Protection Introduction

    The history of malwares began in the 1970s, but the history of malware self-defense didn’t start before the late 1980s. The first virus that attempted to defend itself from antivirus utilities then available was the DOS virus Cascade. It defended itself by partially by encrypting its own code. Two years later, the first polymorphic virus appeared: Chameleon. It used complex encryption and obfuscation methods to protect its code. Until recently, antivirus programs exclusively worked by analysis file codes. It is now becoming more complex with heuristic approach and threat intelligence. 6 https://securelist.com/analysis/publications/36156/the-evolution-of-self-defense-technologies-in-malware/
  7. . McAfee – Thomas Roccia History of Malware Protection Introduction

    7 Cascade Virus Representation of Chameleon Virus J
  8. . McAfee – Thomas Roccia Why does Malware Use Self

    Defense Techniques? Introduction Cyber-criminals invest time to create a coriaceous programs. Some samples are really advanced and contain a lot of functionalities. The protection and self-defense are vital for the Attackers to avoid wasting several months of work. A lot of techniques could be implemented and we can classify them into 3 categories: Anti-SecTools (AV, Firewall…) Anti-Sandbox: detection of automatic analysis Anti-Analyst: detection of manual analysis Some techniques are common to these 3 categories. 8
  9. . McAfee – Thomas Roccia How does a Malware Succeed

    in Infecting Me? “I have the last update of the AV but I get infected” Most of the time the AV engine detects the malicious payload but not the wrapper. A lot of techniques can escape from the AV. Best practices are not always respected. “I bought a really expensive sandbox, but when I run a malicious payload it is not detected” Sandboxes are often misconfigured, which prevents them from detecting malware A lot of information can be retrieved by a malware. “I spent a lot of time to analyze this sample but I still get confused and don’t understand it” Obfuscation, packer, anti-analysis, give the analysts a hard time. 9 Overview
  10. . McAfee – Thomas Roccia Antivirus Engine can Fail How

    does a Malware Succeed in Infecting Me? Most of the time an Antivirus engine is based on: Signature detection Scanning functionalities Heuristic engine A Malware can escape from these functionalities by different techniques: Adding Antivirus exceptions Disabling an Antivirus Using the Sleep Method Using Code injection Etc. 10
  11. . McAfee – Thomas Roccia Sandboxes can Fail How does

    a Malware Succeed in Infecting Me? Sandboxing is the current fashion security tools but also the easiest to use to quickly understand a malware. However a lot of misconfiguration allow a malware to detect this analysis environment. The way to avoid this detection is to provide a real user machine, but it is difficult to maintain. Some security tools can help you to harden your sandbox. 11
  12. . McAfee – Thomas Roccia Analysts can Fail How does

    a Malware Succeed in Infecting Me? A lot of tricks can be used by a malware to defeat the analyst. It is sometimes hard to bypass the protection and very time consuming. Some malwares are prepared to face analysis tools and try to improve their self- defending techniques to remain undetected and incomprehensible. Packers, anti disassembly, anti honeypot, obfuscation and more… are part of the attackers‘ arsenal. The goal for the analysts is to remove these protections to better understand the behavior of the sample. 12
  13. . McAfee – Thomas Roccia Overview of Malware Protection A

    Malicious software in the Windows environment has typically been armored, packed, encrypted or obfuscated to protect itself from classic reviews. There are several ways to avoid detection and analysis. Packer VM/Sandbox detection AV evasion Anti-disassembling Anti-debugging Obfuscation … 13 Overview
  14. . McAfee – Thomas Roccia Examples of Underground Tools Overview

    of Malware Protection 14
  15. . McAfee – Thomas Roccia Obfuscation Overview of Malware Protection

    A Malware often uses obfuscation techniques to avoid detection and analysis. Obfuscation is the fact of obscuring the intended meaning in communication, by making the message confusing, willfully ambiguous, or harder to understand. Malware obfuscation serves the one ultimate purpose: Survival. 15
  16. . McAfee – Thomas Roccia Obfuscation – eXclusive OR (XOR)

    Overview of Malware Protection The XOR operation is the most common used by a malware. This is because it is really easy to use to hide data. Basically a key is used and creates the cipher text. XOR is a reversible function that means it uses the same function to encode and decode. The XOR operation can be brute forced to obtain the key. XORsearch or XORStrings can be used. 16 https://blog.didierstevens.com/programs/xorsearch/
  17. . McAfee – Thomas Roccia Obfuscation - Other Overview of

    Malware Protection A Malware also uses many other methods to obfuscate its content. ROT13 (Caesar) Base64 Common Cryptographic algorithm Custom encoding Visual Basic encoding Commercial obfuscator Hash algorithm Packer 17
  18. . McAfee – Thomas Roccia Packer Overview of Malware Protection

    Malware coders often use packing in order to make the analysis more difficult. They sometimes contain multiple layers of armoring/packing. Many coders commonly use packers – some of which are used by commercial products. When a packer program is running the malware is unpacked. 18 Wrapper Program Packed Executable (non visible in static analysis) Original Executable
  19. . McAfee – Thomas Roccia Process Hollowing Overview of Malware

    Protection Process hollowing is a technique used by a malware to inject a malicious code into another process. For example a sample can create a notepad.exe process and inject its payload. To make process hollowing, a sample will use the following function: CreateProcess: in a suspended mode with the CreationFlag at 0x0000 0004. GetThreadContext: retrieves the context of the specified thread. ZwUnmapViewOfSection: Unmaps a view of a section from the virtual address space of a subject process. VirtualAllocEx: allocates memory within the suspended process’s address space. WriteProcessMemory: writes data of the PE file into the memory just allocated within the suspended process. SetThreadContext: sets the EAX register to the entry point of the executable written. ResumeThread: resumes the thread of the suspended process. 19 http://www.autosectools.com/process-hollowing.pdf
  20. . McAfee – Thomas Roccia Process Hollowing Overview of Malware

    Protection Process hollowing is basically used to avoid detection. Usually a sample will create another process. It can be observed with a tool that monitors the activities of the sample. 20 http://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/
  21. . McAfee – Thomas Roccia Anti-debug Overview of Malware Protection

    The Windows API provides some functions that allow a malware to detect if it is currently being debugged. If a debugging setting is detected, the malware terminates its process or changes its behavior to fool the analyst. Several anti-debug functions used by a malware: IsDebuggerPresent: Searches in the PEB (Process Environment Block) structure if IsDebugged field has a non-zero value (Which implies a debugger is running). CheckRemoteDebuggerPresent: Similar to above, does a simple check for itself or any other process, needs a process handle as input parameter. FindWindow: WinAPI call to check if a window with a certain name is present ("OllyDbg..") NtQueryInformationProcess: Retrieves Info about a specific process using its process handle. If it turns into a non-zero value which would be the port number, then the malware knows it is being debugged. 21 http://antukh.com/blog/2015/01/19/malware-techniques-cheat-sheet/
  22. . McAfee – Thomas Roccia Anti-debug Overview of Malware Protection

    22 Teslacrypt Uncovered – Thomas Roccia
  23. . McAfee – Thomas Roccia VM detection Overview of Malware

    Protection Unfortunately the malware writers are aware that many analysts are using virtualization to perform their analysis. It is trivial to build virtualization detection into the malware – which could cause a number of interesting effects: The Malware may simply refuse to execute It May act as a totally innocent utility / clean file It May Attempt to crash the virtual machine It May Attempt to exploit vulnerability to infect the physical machine 23
  24. . McAfee – Thomas Roccia VM detection – Red Pill

    Technique Overview of Malware Protection The Red Pill is an anti-VM technique that executes the SIDT instruction to grab the value of the IDTR register. The IDTR register can be used only by one OS. VMware relocates the address of IDT for emulation with 0xFFXXXXXX. 24 http://www.simonganiere.ch/2012/11/20/malware-anti-vm-technics/
  25. . McAfee – Thomas Roccia VM detection – Other Techniques

    Overview of Malware Protection No Pill: Use of the SGDT and SLDT instruction for Vmware Detection. Detection of VM process (VmwareService.exe, VmwareTray.exe…). Detection of VM registry keys. Detection of hooking functions (DeleteFileA, CreateFile…). 25
  26. . McAfee – Thomas Roccia Unprotect Project Malware protection can

    be hard to remove. The main goal is to provide the first database about binary protection. The database is a Wiki with: Explanation of the protection technique How to defeat this protection 26 Overview
  27. . McAfee – Thomas Roccia The first database about binary

    protection Unprotect Project The Unprotect Project is a database that aims to group all the protection and self- defending techniques used by malware and binary. The Unprotect is a project community based on contributors and on a Wiki. The goal is to provide to the security community and IT people a knowledge base to detect new generations of malware. Multiple goals: Provide knowledge about malware protection capabilities Provide information to defeat it against Sandbox and Security Tools Provide the way to manually unprotect for malware analysts 27
  28. . McAfee – Thomas Roccia Wiki The Unprotect Project The

    Wiki can be reach at unprotect.tdgt.org It regroups malware self-defense by classification All the people that want to add content can make a request to get account. Content could be: New or unknown malware protection Theoretical malware protection Adding an entry with full description (definition, code, unprotection…) Adding an entry with just definition field 28
  29. . McAfee – Thomas Roccia unprotect.tdgt.org 29

  30. . McAfee – Thomas Roccia What Else? During my research

    I get an idea: 30 Why not emulated a Virtual/Sandbox environment in my physical machine to stay protected against malware? If a malware detect my fake environment, it will not run and I will not get infected J
  31. . McAfee – Thomas Roccia Stay protected by emulate a

    malware analysis machine RocProtect I coded a quick and dirty POC that creates VM artifacts on a machine. RocProtect is an OpenSource POC coded in C++. The tool will create on your system: Fake registry key of Vmware/VirtualBox/Qemu Fake process (VmwareTray.exe, VboxService.exe, wireshark.exe...) Fake directory (Wine, Vmware Tools, VirtualBox Tools...) Fake files (vmouse.sys, vboxhook.dll, VboxGuest.sys...) Fake MAC address related to Vmware or VirtualBox 31
  32. . McAfee – Thomas Roccia Stay protected by emulate a

    malware analysis machine RocProtect 32
  33. . McAfee – Thomas Roccia Conclusion Malware protection and self-defending

    are the techniques that allow attackers to remain undetected. Many techniques can be used to evade Antivirus, Security tools and Analysts. Knowing these techniques can help the IT Security Industry to be more powerful against the malware threats. 33
  34. . McAfee – Thomas Roccia 34 • Thomas Roccia •

    @fr0gger_ Thank you