Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Understand Malware Evasion Techniques - Black H...

Thomas Roccia
March 28, 2019
240

Understand Malware Evasion Techniques - Black Hat Asia

Technology advances have significantly changed our lives during the past decade. We rely on computers of various sorts for even the simplest of daily tasks and become stressed when they are not available or do not perform as we expect. The data that we create, use, and exchange has become the gold of the 21st century. Because our information is so valuable and often very personal, attempts to steal it have proliferated.

Malware was first developed as a challenge, but soon attackers recognized the value of stolen data and the cybercrime industry was born. Security companies soon formed to defend people and systems using antimalware technologies. In response, malware developers began experimenting with ways to evade security products. The first evasion techniques were simple because the antimalware products were simple. For example, changing a single bit in a malicious file was sometimes good enough to bypass the signature detection of a security product. Eventually, more complex mechanisms such as polymorphism or obfuscation arrived. Today’s malware is very aggressive and powerful. Malware is no longer developed just by isolated groups or teenagers who want to prove something. It is now developed by governments, criminal groups, and hacktivists, to spy on, steal, or destroy data.

To perform malicious actions, attackers create malware. However, they cannot achieve their goals unless their attempts remain undetected. There is a cat and-mouse game between security vendors and attackers, which includes attackers monitoring the operations of security technologies and practices.

The term evasion technique groups all the methods used by malware to avoid detection, analysis, and understanding.

Thomas Roccia

March 28, 2019
Tweet

Transcript

  1. Unprotect Project Unprotect Malware for the Mass Thomas ROCCIA |

    Security Researcher, Advanced Threat Research @fr0gger_
  2. Summary • Evasion Techniques Definition • Current State of Evasive

    Malware • Malware Evasion Technique Classification • Introducing Unprotect Project • Future Work / Call for improvement
  3. • Evasion techniques are on the rise • More than

    90% of malware are using at least one evasion tricks • Even legit software uses evasion to protect intellectual property • Detection rate can be improved by knowing these techniques About Evasion Tactics
  4. Evasion Techniques can be define by: (1)All the digital techniques

    used by a (mal||soft)ware to avoid, static, dynamic, automatic, human analysis in order to understand its behavior. (2)All the digtal techniques used by a malware to avoid (1) and to evade security solutions, security configuration as well human detection to perform malicious action the longer on the infected machines. (3)Evasion techniques are classified as follow: Anti-Sandboxing, Antivirus Evasion, Anti-Debugging, Anti-Monitoring, Packers, Anti-Disassembly, Process Injection, Network Evasion, Obfuscation (encoding, encryption…), Morphism, Anti-Forensic, Anti-MachineLearning.
  5. • Unprotect Project is an open platform dedicated to Malware

    Evasion Tactics and Techniques. • Previous version: • Wiki • CheatSheet • Tool to fake sandbox • New version: • Online platform to detect common Evasion Techniques during first assessment. • Evasion Techniques classification to allow malware researchers to better understand the different techniques. Introducing Unprotect Project
  6. • A tool to fake sandbox: • Fake registry keys

    of Vmware/VirtualBox/Qemu • Fake processes (VmwareTray.exe, VboxService.exe, wireshark.exe...) • Fake directories (Wine, Vmware Tools, VirtualBox Tools...) • Fake files (vmouse.sys, vboxhook.dll, VboxGuest.sys...) • Fake MAC address related to Vmware or VirtualBox Unprotect Project: Previous Version https://github.com/fr0gger/RocProtect-V1
  7. • Unprotect Project is composed of two main parts: Unprotect

    Project: New Release The online platform including the classification and the analysis engine A python tool for first malware assessment
  8. Description of the functionalities Unprotect PE Summary VT Report Exploit

    Mitigation Packer Detection Anti- Sandbox Anti- Debugging AV Evasion Anti- Disassembly Process Injection Obfuscation Additional Info
  9. • Provide global information about the VT report as well

    a link to it. • Provide information about Exploit Mitigation Flags VirusTotal Report / Exploit Mitigation
  10. • Provide information about potential packer and entropy Anti-Sandboxing •

    Provide information about potential packer and entropy Anti-Sandboxing • Provide information about potential packer and entropy Anti-Sandboxing • Provide information about potential packer and entropy Anti-Sandboxing
  11. • The standalone tool is used to assess malware directly

    from the CLI. Standalone Tool https://github.com/fr0gger/unprotect
  12. • Recode in Python 3 (in progress) • Deploy extra

    modules (Machine Learning in testing) • Improve server resources • Development of the MITRE ATT&CK Roadmap