Description: More discussion of an AV Bypass methodology with possible remediations. This is the video from the talk at ToorCon
Tags: aking1012 ToorCon ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Fantastic Andrew! I was really busy but one i started your talk, just had to finish it :) nicely done. I wish you all the best! I am sure you are gonna score in BH and Defcon this year.
Note to self... Never open any files from this guy...
@SecurityTube_Bot -- Thanks. We'll see. One of the speakers from Defcon last year expressed an interest in "teaming up" for talks at BH and Defcon next year.
@skinnyskenny -- I'm going to take that as a compliment ;)
Excellent as always! Too bad you got only 20 minutes as the demo part could have been longer, but congratulations and much success. I hope you can write the book you mentioned on the FB security group!!! I will definitely buy it (Hard Copy only... PDF will be dangerous :) !!!!
@esojzuir -- thx. I'm working on writing it even without the publisher sponsorship. That way if I have to I can do the Trafford thing and self publish it. On the 20 minutes and demos...I ran through all the demos. I did have some "future development" and "interesting questions people asked me" slides still in the deck.
Andrew it is really awesome man.
why don't you make a video with demo little clear.
anyhow awesome bro.
@neo - it's plenty clear to see that it's working...if i went really clear someone might copy down the generated asm sections for the encoder/decoder stubs ;) Anyway, I didn't record this video. It was recorded at ToorCon. I just got a free copy and upped it(since it was my talk).
@andrew: which language is better to write the encoder and decoder stubs?
what are the prerequisites to write the stub ?
@neo - I wrote them in ASM. Even bought a shirt at the con that said "Real men code in ASM." It's just easier that way. It's possible you could do it in C with some APIs that I don't know. I just did in-line assembly. I'm playing with using extended-assembly in-lined to use AES or whatever else.
what type of encoding scheme u used in the stub?
is it xor or rc 4 or des ? or some thing else?
where is the better starting for assembly?
At the moment it's a simple XOR. It's just really random in how it gets put together structure and order wise...so it's tough to detect. Vivek has a good assembly primer. I'm not sure he got in to in-line and extended though. If I remember properly he was using masm. You can do in-line ASM with all modern compilers. Mingw and VC both support it. Mingw uses AT&T syntax and VC uses Intel. Visualstudio leaks personal information like a sieve though.
thanks for the information buddy.
Hi dude,
0dem speaking here!
The guy you mentioned in your video!
I just wanted to say, that i didn't claim credits of others.
This is an old technique which i decided to publish a month ago on Exploit-db.
I never saw your video on "http://vimeo.com/25833125" before as you have said from Minute 1:34 on.
And if you say i might be someone you upset in the past its again wrong as the majority of what you have said about me. You are not that famous, dude! Dont take yourself too important.
Cheers 0dem, not zero-dem nor oh-dem
Same response I sent in the direct email:
"I wasn't trying to upset anyone. You must admit though that the timing is quite odd. 3 months after the video on ST and one week before the conference. Add to that the handle being spelled two different ways and it just seems even more odd. So you could see where I would come to that logical conclusion, yes?
I'm switching demo's from the DLL thing to obfuscating ZeuS executable anyway. That component of the approach will become less relevant in that case."
Ok simlira answer as sent in direct message:
Dont claim others too eraly, you might be wrong!
I'll note in the presentation at Nullcon that I may have jumped to conclusions a little quickly due to a combination of factors and that we had a civil conversation about it. That video will get posted as well. Does that seem like a solution to you? I think it works for all people involved...
@Andrew - nice logo on the shirt. I saw some writing beneath your white shirt but couldn't make it out!
@Andrew and 0dem - I, too, saw the videos earlier this year on ST about AV evasion as well as the paper on Packetstorm. I realise there are similarities in the techniques presented in these resources.
@Andrew - the idea about obfuscating the executable sounds interesting. I realise that you won't divulge the exact technique, and I'm not asking for that. Am I correct in assuming that the de-obfuscation occurs in memory? I think I understand the reasoning behind your move away from using a loader and a dll. *If* a pen tester wanted to have a user execute a file by SE, the user would have to have both the .exe as well as the .dll. I don't know how easy that would be to arrange but suspect that it would be a good deal easier if the user were required to run just the .exe without an accompanying .dll.
The shirt was already discussed, but thx for noting it.
It's not just that on the binary versus DLL thing...you could fairly easily do a custom binder that maps a dll in to memory and decodes/decrypts there. It's not just that though, someone specifically asked me to do a known malicious binary as part of an upcoming speaking engagement...and ZeuS code was available.
@0dem: I've seen your paper (as I mentioned earlier in this thread) and have two questions:
1. Are you willing to release the source of the empty DLL?
2. You mentioned that this is an old technique. I am new to this field. Do you have any other interesting tips or tricks that would be of interest to members here on ST?