genetic malware
TRANSCRIPT
![Page 1: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/1.jpg)
Genetic MalwareDesigning payloads for
specific targets
@midnite_runr@wired33
Ekoparty 2016
![Page 2: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/2.jpg)
Who we are• Travis Morrow
• AppSec, Mobile, WebTesting, SecOps
• Josh Pitts
• Author of BDF/BDFProxy
• https://github.com/secretsquirrel
• AppSec, RedTeaming, WebTesting, SecOPs
![Page 3: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/3.jpg)
How we got here…
![Page 4: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/4.jpg)
![Page 5: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/5.jpg)
![Page 6: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/6.jpg)
![Page 7: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/7.jpg)
![Page 8: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/8.jpg)
![Page 9: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/9.jpg)
Dude, I have this algo…
![Page 10: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/10.jpg)
![Page 11: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/11.jpg)
Awesome Let’s do it..
![Page 12: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/12.jpg)
![Page 13: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/13.jpg)
![Page 14: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/14.jpg)
If you write Malware you have four
enemies (besides LE)
![Page 15: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/15.jpg)
If you write Malware you have four
enemies (besides LE)
If you write Malware you have four
enemies (besides LE)
Conduct Operations ^
![Page 16: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/16.jpg)
AntI-VIRUS
Automated
SANDBOX
Reverse
ENGINEERCrow
dsou
rcing
Info S
harin
g
![Page 17: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/17.jpg)
AntI-VIRUS
Automated
SANDBOX
Reverse
ENGINEERCrow
dsou
rcing
Info S
harin
g
![Page 18: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/18.jpg)
• Including Consumer Grade Products
• Founded by the Charlie Sheen of our industry
• Easy to bypass, not really a concern
• Can make you more vulnerable
• Respect for F-Secure and Kaspersky
AntI-VIRUS
![Page 19: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/19.jpg)
• Including Consumer Grade Products
• Founded by the Charlie Sheen of our industry
• Easy to bypass, not really a concern
• Can make you more vulnerable
• Respect for F-Secure and Kaspersky
AntI-VIRUS
![Page 20: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/20.jpg)
However…
![Page 21: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/21.jpg)
![Page 22: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/22.jpg)
![Page 23: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/23.jpg)
![Page 24: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/24.jpg)
![Page 25: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/25.jpg)
![Page 26: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/26.jpg)
![Page 27: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/27.jpg)
![Page 28: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/28.jpg)
• Easy to bypass analysis
• A lot of machines are still XP
• They often:
• Have unique ENV vars
• Rarely change external IP
• Have analysis timeouts
Automate
d
SANDBOX
![Page 29: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/29.jpg)
• Easy to bypass analysis
• A lot of machines are still XP
• They often:
• Have unique ENV vars
• Rarely change external IP
• Have analysis timeouts
Automate
d
SANDBOX
![Page 30: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/30.jpg)
• Hard to defeat the Reverse Engineer (RE)
• Tricks that defeat AV and Automated Sandboxes != work on an experienced RE
• If malware payloads decrypt in memory on the RE’s machine, it can be analyzed
• At best you can only slow down the RE
• Turn RE into a password cracker and you win
Reverse
ENGINEER
![Page 31: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/31.jpg)
• Kind of a MMO of Whack-A-Mole
• Magnifies the outcome of easy to fingerprint malware
• Defeat the RE and this becomes less effective
Crowds
ourci
ng
Info S
harin
g
![Page 32: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/32.jpg)
• Kind of a MMO of Whack-A-Mole
• Magnifies the outcome of easy to fingerprint malware
• Defeat the RE and this becomes less effective
Crowds
ourci
ng
Info S
harin
g
![Page 33: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/33.jpg)
Enter Environmental Keying
![Page 34: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/34.jpg)
Enter Environmental Keying
… a short primer
![Page 35: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/35.jpg)
Clueless Agents• Environmental Key Generation towards Clueless Agents (1998) - J. Riordan, B. Schneier
• Several methods for key sources:
• Server required
• Usenet
• Web pages
• (Forward|Backwards)-Time Hash Function
• Host specific
• Mail messages
• File System
• Local network
![Page 36: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/36.jpg)
Clueless Agents• Environmental Key Generation towards Clueless Agents (1998) - J. Riordan, B. Schneier
• Several methods for key sources:
• Server required
• Usenet
• Web pages
• (Forward|Backwards)-Time Hash Function
• Host specific
• Mail messages
• File System
• Local networkNO
POC
![Page 37: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/37.jpg)
Secure Triggers
• Foundations for Secure Triggers (2003), Corelabs
• Did not reference Clueless Agents
• Defeat REs and analysis
• Makes mention of OTP
• Lots of Math (too much)
![Page 38: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/38.jpg)
Secure Triggers
• Foundations for Secure Triggers (2003), Corelabs
• Did not reference Clueless Agents
• Defeat REs and analysis
• Makes mention of OTP
• Lots of Math (too much)NO POC
![Page 39: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/39.jpg)
Bradley Virus• Strong Cryptography Armoured Computer Virus Forbidding Code Analysis (2004), Eric Filiol
• References Clueless Agents
• Nested encrypted enclaves/payloads
• “Complete source code is not available”
• “[…]cause great concern among the antiviral community. This is the reason why will not give any detailed code.
![Page 40: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/40.jpg)
Bradley Virus• Strong Cryptography Armoured Computer Virus Forbidding Code Analysis (2004), Eric Filiol
• References Clueless Agents
• Nested encrypted enclaves/payloads
• “Complete source code is not available”
• “[…]cause great concern among the antiviral community. This is the reason why will not give any detailed code.NO
POC
![Page 41: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/41.jpg)
Hash and Decrypt
• Mesh design pattern: hash-and-decrypt (2007), Nate Lawson
• Application of secure triggers to gaming
![Page 42: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/42.jpg)
Hash and Decrypt
• Mesh design pattern: hash-and-decrypt (2007), Nate Lawson
• Application of secure triggers to gaming NO POC
![Page 43: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/43.jpg)
Über-Malware
• Malicious Cryptography… Reloaded (CanSecWest 2008) - E.Filiol, F.Raynal
• New: Plausible Deniability!
• Via OTP
• POC was a XOR
![Page 44: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/44.jpg)
Über-Malware
• Malicious Cryptography… Reloaded (CanSecWest 2008) - E.Filiol, F.Raynal
• New: Plausible Deniability!
• Via OTP
• POC was a XOR NO POC
![Page 45: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/45.jpg)
Impeding Automation• Impeding Automated Malware Analysis with Environmental-sensitive Malware (2012), Usenix,(C.Song, et al)
• Did not reference Clueless Agents or the Bradley Virus
• Rediscovers Environmental Keying..
• Examples of Environmental keys
• Great Quotes:
• “Due to time constraints..”
• “[…]exceeds the scope of this paper,[…]
• “At the inception of this paper, concerns were raised[…]”
![Page 46: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/46.jpg)
Impeding Automation• Impeding Automated Malware Analysis with Environmental-sensitive Malware (2012), Usenix,(C.Song, et al)
• Did not reference Clueless Agents or the Bradley Virus
• Rediscovers Environmental Keying..
• Examples of Environmental keys
• Great Quotes:
• “Due to time constraints..”
• “[…]exceeds the scope of this paper,[…]
• “At the inception of this paper, concerns were raised[…]” NO
POC
![Page 47: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/47.jpg)
Researchers have not released an open source environmental keying POC
![Page 48: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/48.jpg)
Flashback (2011)
![Page 49: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/49.jpg)
Flashback (2011)
• Mac OS X only malware
• Initial agent sent back UUID of OS to server
• Server used MD5 of UUID to encrypt payload
• Sent back to user and deployed
![Page 50: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/50.jpg)
Gauss (2012)
![Page 51: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/51.jpg)
Gauss (2012)
• Discovered by Kaspersky
• Encrypted Payload “Godel”
• Key derived from directory path in program files, MD5 hashed for 10k rounds
• Not publicly decrypted to date
![Page 52: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/52.jpg)
![Page 53: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/53.jpg)
![Page 54: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/54.jpg)
Targeted Malware Compared to Biological/
Chemical Agents
![Page 55: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/55.jpg)
![Page 56: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/56.jpg)
Chemical Agents• Area effect weapons
• Effective for days to weeks
• For targeting systems:
• Domain specific env vars
• External IP address
• Check system time
![Page 57: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/57.jpg)
Biological Agents• Viral
• Genetic Targeting
• “Ethnic Weapons”
• For systems targeting:
• Path
• Particular file (OTP)
• See Jacob Torrey’s Work at HITB 2016 on PUFs (https://conference.hitb.org/hitbsecconf2016ams/wp-content/uploads/2015/11/D1T1-Jacob-Torrey-Using-the-Observer-Effect-and-Cyber-Fengshui.pdf)
![Page 58: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/58.jpg)
Targeted Malware and its use in
Operations
![Page 59: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/59.jpg)
Deploy everywhere work somewhere
![Page 60: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/60.jpg)
Operational plausible
deniability
![Page 61: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/61.jpg)
Hidden Command and Control (C&C)
![Page 62: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/62.jpg)
Hidden C&C
Deployment C&C 1
![Page 63: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/63.jpg)
Hidden C&C
Deployment C&C 1
![Page 64: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/64.jpg)
Hidden C&C
Deployment C&C 1
![Page 65: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/65.jpg)
Hidden C&C
![Page 66: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/66.jpg)
Hidden C&C
Deployment C&C 2
![Page 67: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/67.jpg)
Hidden C&C
Deployment C&C 2
![Page 68: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/68.jpg)
Hidden C&C
Deployment C&C 2
![Page 69: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/69.jpg)
Hidden C&C
![Page 70: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/70.jpg)
Hidden C&C
Deployment C&C 3
![Page 71: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/71.jpg)
Hidden C&C
Deployment C&C 3
![Page 72: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/72.jpg)
Hidden C&C
Deployment C&C 3
![Page 73: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/73.jpg)
Hidden C&C
Deployment C&C 3
![Page 74: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/74.jpg)
Hidden C&C
Deployment C&C 3
![Page 75: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/75.jpg)
Could you imagine a world where all malware was
targeted?
![Page 76: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/76.jpg)
http://www.livescience.com/45509-hiroshima-nagasaki-atomic-bomb.html
![Page 77: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/77.jpg)
https://s-media-cache-ak0.pinimg.com/564x/61/8b/52/618b52fcfefecb3eada6f7bb74e8a5bc.jpg
![Page 78: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/78.jpg)
![Page 79: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/79.jpg)
http://mattruple.theworldrace.org/blogphotos/theworldrace/mattruple/salesman.jpg
![Page 80: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/80.jpg)
E.B.O.W.L.A.
![Page 81: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/81.jpg)
Ethnic BiO Weapon Limited Access
E.B.O.W.L.A.
![Page 82: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/82.jpg)
High Level Overview
![Page 83: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/83.jpg)
![Page 84: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/84.jpg)
E.B.O.W.L.A.
![Page 85: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/85.jpg)
E.B.O.W.L.A.
}
![Page 86: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/86.jpg)
E.B.O.W.L.A.
}
![Page 87: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/87.jpg)
Framework
![Page 88: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/88.jpg)
Framework
![Page 89: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/89.jpg)
Framework
![Page 90: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/90.jpg)
Framework
![Page 91: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/91.jpg)
Framework
![Page 92: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/92.jpg)
Framework
![Page 93: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/93.jpg)
Protection Mechanisms
![Page 94: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/94.jpg)
Protection Mechanisms
![Page 95: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/95.jpg)
Key Derivation: Environmental Factors
Supported Environmentals • Environment Variables (e.g. %TEMP%, %USERNAME%, %TEMP%, etc)
• File System Path (e.g. C:\windows\temp )
• External IP Range (e.g. 100.10.0.0, 100.0.0.0)
• Time Trigger (e.g. 20160401)
![Page 96: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/96.jpg)
Encryption:
payload_hash = sha512(payload[:-offset_bytes])
key = ((sha512(token1+token2+…)) * Iterations)[:32]
enc_blob = base64(zlib*(iv+AES.CFB(key,iv,payload)))
Key Derivation: Environmental Factors
![Page 97: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/97.jpg)
Decryption:
1) Retrieve environment variables
2) Traverse File System from StartingPoint
3) Combine into all possible combinations and decrypt
** trial_key = sha512(token1 + token2 + …)* Iterations)[:32]
** if(sha512(decryptpayload(iv,enc_blob,trial_key[:-offset_bytes]) == payload_hash; continue
Encryption:
payload_hash = sha512(payload[:-offset_bytes])
key = ((sha512(token1+token2+…)) * Iterations)[:32]
enc_blob = base64(zlib*(iv+AES.CFB(key,iv,payload)))
Key Derivation: Environmental Factors
![Page 98: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/98.jpg)
Key Derivation: Unique File
![Page 99: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/99.jpg)
Encryption:
payload_hash = sha512(payload[:-offset_bytes])
location = rand_location(uniq_key_file)
key = ((sha512(read.location) * Iterations)[:32]
enc_blob = base64(zlib*(location + lc.length + iv + AES.CFB(key,iv,payload)))
Key Derivation: Unique File
![Page 100: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/100.jpg)
Decryption:
1) Traverse File System from StartingPoint
2) Create a key from every file encountered & Attempt Decryption
** trial_key = sha512(readFile.location)* Iterations)[:32]
** if(sha512(decryptpayload(iv,enc_blob[22:],trial_key)[:-offset_bytes]) == payload_hash; continue
Encryption:
payload_hash = sha512(payload[:-offset_bytes])
location = rand_location(uniq_key_file)
key = ((sha512(read.location) * Iterations)[:32]
enc_blob = base64(zlib*(location + lc.length + iv + AES.CFB(key,iv,payload)))
Key Derivation: Unique File
![Page 101: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/101.jpg)
Protection Mechanisms
![Page 102: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/102.jpg)
Protection Mechanisms
![Page 103: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/103.jpg)
Protection Mechanisms
![Page 104: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/104.jpg)
Key Derivation: One Time Pad (OTP)
![Page 105: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/105.jpg)
Key Derivation: One Time Pad (OTP)
![Page 106: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/106.jpg)
Pad Creation:
1)payload_hash = sha512(payload[:-offset_bytes])
2)short_len = len(payload)*10%
3)payload_hash_short = sha512(payload)[:short_len]
4)lookup_table(uniqueBinary) = base64(zlib*([ [offset_loc][len],[offset_loc][len], … ]))
Key Derivation: One Time Pad (OTP)
![Page 107: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/107.jpg)
Attacker PayloadTarget UniqueBinary
Key Derivation: One Time Pad (OTP)
![Page 108: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/108.jpg)
Attacker PayloadTarget UniqueBinary
Lookup Table
Key Derivation: One Time Pad (OTP)
![Page 109: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/109.jpg)
Decryption:
1) Traverse File System from StartingPoint
2) Open Each file and build 10%
3) Validate 10% hash Matches then build entire payload
** if(sha512(rebuild_payload(lookup_table,current_file)[:-offset_bytes] == payload_hash; exec()
Key Derivation: One Time Pad (OTP)
![Page 110: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/110.jpg)
Issue
Execution mechanism easily discovered in scripting languages
Fix
Protect the loader in Powershell and Python
Execution Loader Protection
![Page 111: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/111.jpg)
Outputs(aka Cyber Pathogens)
![Page 112: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/112.jpg)
Outputs
GO PythonPS
![Page 113: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/113.jpg)
Outputs
GO PythonPS
NEW
![Page 114: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/114.jpg)
Input/Out Compatibility
Payload Python GO PowerShell
x64 x32 x64 x32 x64 x32Reflective DLL In Memory In Memory In Memory In Memory
DLL In Memory In Memory In Memory In Memory
EXE On Disk On Disk In Memory In Memory In Memory In Memory
ShellCode In Memory In Memory In Memory In Memory In Memory In Memory
Python Code In Memory In MemoryPowerShell Code In Memory
FileDrop Supported In Progress Supported
![Page 115: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/115.jpg)
Input/Out Compatibility
Payload Python GO PowerShell
x64 x32 x64 x32 x64 x32Reflective DLL In Memory In Memory In Memory In Memory
DLL In Memory In Memory In Memory In Memory
EXE On Disk On Disk In Memory In Memory In Memory In Memory
ShellCode In Memory In Memory In Memory In Memory In Memory In Memory
Python Code In Memory In MemoryPowerShell Code In Memory
FileDrop Supported In Progress Supported
![Page 116: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/116.jpg)
New PowerShell
• Uses Invoke-ReflectivePEInjection for PE/DLL injection by Joe Bialek: @JosephBialek
• Uses Invoke-Shellcode by Matt Graeber (@mattifestation)
![Page 117: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/117.jpg)
Usage
![Page 118: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/118.jpg)
$ ./ebowla.py payload config
$ #Then compile output
![Page 119: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/119.jpg)
The config file
![Page 120: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/120.jpg)
Three Sections
• Overall
• OTP Settings
• Symmetric Settings
![Page 121: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/121.jpg)
Overall Section
Encryption_Type OPTIONS: OTP ENV
output_type OPTIONS: Python, GO, PowerShell
payload_type OPTIONS for GO: EXE, DLL_x86, DLL_x64, SHELLCODE OPTIONS for PYTHON: EXE, SHELLCODE, CODE, FILE_DROP OPTIONS for PS: CODE, FILE_DROP, DLL_x86, DLL_x64, EXE, SHELLCODE
key_iterations OPTIONS: Any number? Be reasonable.
![Page 122: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/122.jpg)
Symmetric Key Settings
This has four sections:
•ENV_VARS
•PATH
•IP_RANGES
•SYSTEM_TIME
![Page 123: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/123.jpg)
Symmetric Key Settings
ENV_VARS Can be anything, can add whatever you want if value is ‘’, it is not used. The value is used as a key.
examples: username = ‘Administrator’ # Used homepath = ‘’ # Not used
PATH
path This is used as a key. OPTIONS: A full static path.
start_loc Location to start looking for path match OPTIONS: Static location or Env variable (%PROGRAMFILES%)
![Page 124: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/124.jpg)
Symmetric Key Settings
IP_RANGES
external_ip_mask Simple IP MASK, limited to /24 /16 /8 Example: 11.12.13.14, 11.12.13.0, 11.12.0.0, 11.0.0.0
SYSTEM_TIME
Time_Range Limited to Year, Month, or DAY Format: YYYYMMDD Example: 20160401, 20160400, or 20160000
![Page 125: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/125.jpg)
DEMO TIME
![Page 126: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/126.jpg)
DEMO TIME
![Page 127: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/127.jpg)
The Scenario
• An American in Paris is low on Rubles
• Wants Starcraft really bad
• Answer: BitTorrent a cracked game!
• Unfortunately the cracked starcraft games are patched with a backdoor targeting the most current version of BitTorrent
![Page 128: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/128.jpg)
DEMO 1: OTP• Using BitTorrent.exe as the PAD
• Version 7.9.5, Build 41866, 32bit
• Meterpreter reverse https is the payload via a first stage DLL
• Searching for the PAD starts in %APPDATA%
• Code delivered through a backdoored/cracked game
• Download and Execute payload
![Page 129: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/129.jpg)
Torrent C&C
DEMO 1: OTP
![Page 130: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/130.jpg)
Torrent C&C
1. Cracked_game.exe
DEMO 1: OTP
![Page 131: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/131.jpg)
Torrent C&C
1. Cracked_game.exe
2. Ebowla_GO_payload.exe
DEMO 1: OTP
![Page 132: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/132.jpg)
Torrent C&C
1. Cracked_game.exe
2. Ebowla_GO_payload.exe
3. In memory Execution of a reverse https stage one payload
as a DLL
DEMO 1: OTP
![Page 133: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/133.jpg)
Torrent C&C
1. Cracked_game.exe
2. Ebowla_GO_payload.exe 4. meterpreter.dll & C&C
3. In memory Execution of a reverse https stage one payload
as a DLL
DEMO 1: OTP
![Page 134: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/134.jpg)
DEMO 2: Key from File• Using a location in BitTorrent.exe as the AES key source
• Version 7.9.5, Build 41866, 32bit
• Pupy EXE reverse https
• Searching starts in %APPDATA%
• Code delivered through a backdoored/cracked game
• Download and Execute payload
![Page 135: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/135.jpg)
Torrent C&C
DEMO 2: Key from File
![Page 136: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/136.jpg)
Torrent C&C
1. Cracked_game.exe
DEMO 2: Key from File
![Page 137: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/137.jpg)
Torrent C&C
1. Cracked_game.exe
2. Ebowla_GO_payload.exe
DEMO 2: Key from File
![Page 138: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/138.jpg)
Torrent C&C
1. Cracked_game.exe
2. Ebowla_GO_payload.exe
3. In memory execution the Pupy EXE
DEMO 2: Key from File
![Page 139: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/139.jpg)
Torrent C&C
1. Cracked_game.exe
2. Ebowla_GO_payload.exe Pupy C&C
3. In memory execution the Pupy EXE
DEMO 2: Key from File
![Page 140: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/140.jpg)
DEMO 3:Layered Payload • Using Environmental Factors
• Stage 2:
• Env Vars: Computer Name, number of processors as keys
• GO EXE launching Pupy x64 DLL
• Stage 1:
• Using Date Range and IP Mask as keys
• Python EXE, writes stage 1 to disk and Executes
• Code delivered through a backdoored/cracked game
• Download and Execute payload
![Page 141: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/141.jpg)
Torrent C&C
DEMO 3:Layered Payload
![Page 142: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/142.jpg)
Torrent C&C
1. Cracked_game.exe
DEMO 3:Layered Payload
![Page 143: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/143.jpg)
Torrent C&C
1. Cracked_game.exe
2. Ebowla_multilayer_payload.exe
DEMO 3:Layered Payload
![Page 144: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/144.jpg)
Torrent C&C
1. Cracked_game.exe
2. Ebowla_multilayer_payload.exe
3. PyInstaller EXE => (disk)GO EXE => (memory)Pupy DLL
DEMO 3:Layered Payload
![Page 145: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/145.jpg)
Torrent C&C
1. Cracked_game.exe
2. Ebowla_multilayer_payload.exe Pupy C&C
3. PyInstaller EXE => (disk)GO EXE => (memory)Pupy DLL
DEMO 3:Layered Payload
![Page 146: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/146.jpg)
DEMO 4: Powershell
Deploy Empire via powershell
![Page 147: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/147.jpg)
Known Issues/Bugs• Chaining payloads:
• GO EXE launching GO via Memory Module - DIE IN A FIRE
• Pyinstaller EXE launching Pyinstaller EXE FROM DISK - Loses namespace
• GO (memory module) -> Pyinstaller - Just no…
• Metasploit x86 PE EXE template does not work with MemoryModule
• OTP:
• MZ/DOS Header Leak
![Page 148: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/148.jpg)
This is OK
• Go EXE
• PyInstaller EXE
• Chaining PyInstaller EXE -> GO EXE
![Page 149: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/149.jpg)
Roadmap
• C++ loaders - In Progress
• Additional execution modules
• Better chaining of payloads
• OSX/Linux Support
![Page 150: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/150.jpg)
Questions?
Download: https://www.github.com/genetic-malware/Ebowla
@midnite_runr
@wired33
![Page 151: Genetic Malware](https://reader031.vdocuments.site/reader031/viewer/2022012917/5880eccd1a28ab0d358b6dfb/html5/thumbnails/151.jpg)
https://matrixbob.files.wordpress.com/2015/03/bio-weapons.gif
Credits
http://static5.businessinsider.com/image/51e418a66bb3f7230a00000e-1200-900/guys-drinking-coffee-in-tel-aviv.jpg
http://blogs-images.forbes.com/benkerschberg/files/2015/02/crowdsourcing-spigot.jpg
https://archive.org/details/P-G_Ohst_Exploitation
https://github.com/vyrus001/go-mimikatz
https://github.com/clymb3r
https://github.com/mattifestation