The Art of AV Evasion - Or Lack Thereof

@ChrisTruncer

◉ Sys Admin Turned Red Teamer for Mandiant

◉ Florida State Seminole◉ Open Source Software

Developer○ Veil-Framework○ EyeWitness○ Egress-Assess

WHOAMI

What is this talk about?

◉ Stager Background◉ Veil-Evasion’s AV Bypass Approach◉ Signatured - DOH!◉ An Experiment I Conducted◉ Process Creation

Stagers

What are stagers?

◉ Can be referred to as “stage 1”○ This can be msfvenom or Veil-Evasion output

◉ The goal for these are (typically) to inject shellcode into memory○ The shellcode’s task is usually to download and

inject a reflective dll○ Or anything you specify

◉ This is essentially a loader for your real malware

What are stagers?

◉ Any language that has a means to access Windows functions can be used to develop stagers!○ This can open up a ton of options

◉ Interacting with Windows functionality isn’t all that scary!○ It’s just four function calls

Shellcode Injection Basics

◉ Allocate memory to store shellcode, and set proper memory protections

◉ Copy the shellcode that you want to run into the previously allocated memory

◉ Create a thread to execute the shellcode◉ Have your code run until the thread has

completed execution (you exit Meterpreter)

VirtualAlloc

◉ Allocates memory within the current process○ How much memory should it allocate (shellcode

size)?

○ Which permissions should be assigned to the allocated memory?■ RWX?■ W?

RtlMoveMemory

◉ Moves shellcode into the memory space that’s been allocated○ Needs a pointer indicating where to copy the

shellcode (VirtualAlloc output)

○ A pointer indicating where you are copying “data” from

○ The length of data (shellcode) to copy

CreateThread

◉ This function creates a new thread for the copied shellcode○ Needs a pointer to the start of the code (shellcode)

that you want to run in a new thread○ Schedule the thread to run immediately

WaitForSingleObject

◉ This function tells the program (stager main) to wait to exit until the thread completes○ A handle to the thread that was just created (output

from CreateThread)

○ A value (-1) instructing the program to wait until the thread has finished running

AV’s Approach to Catching Malware

AV Methods of Detection

◉ Signature Based○ This is what Veil-Evasion attempts to bypass

◉ Heuristics Based◉ “Crowd Sourced”

○ Reputation

Veil-Evasion’s Approach to Bypass AV

Approaches to Bypassing AV

◉ Ghost code / net no-operation code◉ Encrypted binaries

○ Hyperion

◉ Custom Code◉ Multiple different ways to approach bypassing

AV

Veil-Evasion’s Approach

◉ We are combating on-disk detection through different techniques:○ Obfuscated code○ Encrypted code○ Non-standard languages for windows binaries

■ Python, Ruby, Perl, etc.■ Flat Payloads vs. others

Veil-Evasion’s Approach

◉ Languages within Veil-Evasion○ Python○ Perl○ PowerShell○ C#○ C○ Go○ Ruby

Veil-Evasion’s Approach

◉ Using a language that’s not C or C# made a big difference○ AV Programs didn’t know or didn’t properly inspect

non-standard languages

◉ Example:○ C Flat vs. Python Flat

Simply changing the language the code is written in

completely bypassed all signatures.

Time for a New Module

Close Enough to June V-Day

◉ It’s been a little while since our last V-Day○ Sorry, life…

◉ I have a module I wrote a while ago that’s been fairly successful

◉ It’s Python based◉ Let’s release it today!

Remember Hyperion?

◉ I briefly mentioned Hyperion before◉ Hyperion is a cool concept

○ It works by completely encrypting an executable○ It wraps a decoder stub around the executable

○ Hyperion uses a purposefully restricted keyspace for generating the encryption key

○ The decryption key is NOT within the executable

○ The executable brute forces itself at runtime and once decrypted, runs the original executable

Remember Hyperion?

◉ This is a pretty nifty idea, it shouldn’t be hard to write in a higher level language.

◉ However, there is an issue/feature when performing decryption routines○ If I don’t provide the right key, I don’t get an alert, I

just get decrypted garbage

Remember Hyperion?

◉ So I can’t just try/except my way through this module for incorrect keys

◉ Let’s perform a chosen plaintext attack!○ Attack where we specify the plaintext and can

observe the ciphertext

◉ Small modification of this will let me make a python based Hyperion-esque module

Notification of Signature

◉ Finally, after approximately 1 year, we had our first signature

Notification of Signature

◉ I was pretty excited to see if someone finally figured Veil-Evasion out.

◉ Previous attempts have turned out kind of humorous..

Preparation

ShowMeCon Prep

◉ I wanted to originally start looking into a brand new bypass to release for ShowMeCon

◉ Started looking into it, and immediately was disappointed in one vendor.

What did I try?

◉ Generated Payload - Caught◉ Removed the Shellcode - Caught◉ Renamed CTypes library (extra length) -

Caught◉ Commented Windows Function Calls

○ From one, to all of them○ Caught

◉ Deleted ALL THE THINGS and did a “Hello World from Veil” test

Hello World!

What about in Windows?

◉ Test this functionality out in Windows!○ This just seems odd..

◉ Build a Python-based payload, but just the source

◉ “Compile” the script in Windows◉ See what happens

○ Need to figure out the “baseline signature”

What are my Thoughts?

◉ This leads me to believe Avast is developing signatures for binaries generated by Veil-Evasion, regardless if they are malicious.○ Lets test this by generating a windows binary

outside of Veil-Evasion, but within Kali.

What did I Learn?

◉ Avast has chosen the shotgun approach to just blacklisting windows binaries made by PyInstaller within Linux

◉ So this leads to two observations..○ They’re going to be potentially blacklisting valid

programs○ Just “compile” your payload in Windows :)

Let’s Experiment with AV

Experiment Outline

◉ Generate most of the payloads currently in Veil-Evasion

◉ Test against multiple vendors, ensuring the ones I see most are included

◉ Differentiate between detected binaries, suspect/reputation based detections, and clean results

◉ Record the results

Who am I testing?

◉ Symantec◉ McAfee◉ Avast◉ Microsoft Security Essentials◉ Avira◉ AVG◉ ESET

Predictions?

◉ Generally - Most modules will bypass AV◉ There will be some that are caught

○ C or C# based payloads○ Probably some of the “Flat” modules

◉ Python based modules are the original ones, and likely will be caught

◉ Newer languages like GO will bypass AV◉ “Pure” stagers will bypass AV◉ PowerShell wins

The ability to detect an open source virus as the single datapoint for

determining which antivirus product to buy isn’t the best evidence for your decision.

But it’s not a bad supplement

:)

Observations

◉ A lot of interesting information:○ Of all the payloads generated against all the tested

AVs, almost 50% are determined to be virus free

○ Ruby Base64 Encoded payload is the least detected payload

○ C# Flat is the most detected payload

○ McAfee is the worst at detecting Veil-Evasion payloads

○ AVG is the best at detecting Veil-Evasion payloads

Observations

◉ Crowd-sourcing antivirus detection can be an option, but will heavily rely on:○ The number of nodes submitting to the cloud○ The configuration of your system

■ How does it respond on low, medium, high, etc. reputations?

○ Does it just ignore and/or not use signatures?

Wrapup

Wrapup

◉ Antivirus isn’t a brick wall◉ The tiniest modifications can bypass antivirus◉ AV Vendors are human, and make human

decisions when choosing how to make signatures○ You can exploit this

◉ Anyone can develop new ways to bypass AV◉ Seriously…

○ I’m not an expert, anyone can do this

Develop Your Process

Develop Your Process

◉ I approach AV how I approach red teaming environments I don’t know○ I see stuff I have not ever touched before all the

time, and I need to learn to abuse it

○ Develop your process for interacting with

technology (or AV signatures) you’ve never encountered

A difference between an experienced professional and someone new to the field is the pro is confident in their

own methodology with encountering unknowns and being successful

Any questions ?

Reach out to me!

◉ @ChrisTruncer◉ https://www.christophertruncer.com◉ https://www.github.com/ChrisTruncer

Thanks!