Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Understand Malware Evasion Techniques - Black H...

Thomas Roccia
March 28, 2019
1
240

Understand Malware Evasion Techniques - Black Hat Asia

Technology advances have significantly changed our lives during the past decade. We rely on computers of various sorts for even the simplest of daily tasks and become stressed when they are not available or do not perform as we expect. The data that we create, use, and exchange has become the gold of the 21st century. Because our information is so valuable and often very personal, attempts to steal it have proliferated.

Malware was first developed as a challenge, but soon attackers recognized the value of stolen data and the cybercrime industry was born. Security companies soon formed to defend people and systems using antimalware technologies. In response, malware developers began experimenting with ways to evade security products. The first evasion techniques were simple because the antimalware products were simple. For example, changing a single bit in a malicious file was sometimes good enough to bypass the signature detection of a security product. Eventually, more complex mechanisms such as polymorphism or obfuscation arrived. Today’s malware is very aggressive and powerful. Malware is no longer developed just by isolated groups or teenagers who want to prove something. It is now developed by governments, criminal groups, and hacktivists, to spy on, steal, or destroy data.

To perform malicious actions, attackers create malware. However, they cannot achieve their goals unless their attempts remain undetected. There is a cat and-mouse game between security vendors and attackers, which includes attackers monitoring the operations of security technologies and practices.

The term evasion technique groups all the methods used by malware to avoid detection, analysis, and understanding.

Thomas Roccia

March 28, 2019
Tweet

More Decks by Thomas Roccia

See All by Thomas Roccia
The XZ Backdoor Story
fr0gger
0
4.2k
Prompt Engineering for Threat Intelligence
fr0gger
1
270
State-Sponsored Financially Motivated Attacks
fr0gger
0
670
Binary Instrumentation for Malware Analysis
fr0gger
2
1.5k
Conti Leaks: Practical walkthrough and what can we learn from it
fr0gger
0
960
Sharing is Caring: Sharing Threat Intelligence Notebook Edition
fr0gger
0
1.9k
Code Graphology
fr0gger
0
720
X-Ray of Malware Evasion Techniques: Analysis, Dissection, Cure?
fr0gger
3
920
AISA - Practical Threat Intelligence
fr0gger
0
1.3k

Featured

See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k
Practical Orchestrator
shlominoach
186
10k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
900
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Happy Clients
brianwarren
98
6.7k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Producing Creativity
orderedlist
PRO
341
39k
Speed Design
sergeychernyshev
25
620
Building Flexible Design Systems
yeseniaperezcruz
327
38k

Transcript

  1. Unprotect Project Unprotect Malware for the Mass Thomas ROCCIA |

    Security Researcher, Advanced Threat Research @fr0gger_

  2. Summary • Evasion Techniques Definition • Current State of Evasive

    Malware • Malware Evasion Technique Classification • Introducing Unprotect Project • Future Work / Call for improvement

  3. • Evasion techniques are on the rise • More than

    90% of malware are using at least one evasion tricks • Even legit software uses evasion to protect intellectual property • Detection rate can be improved by knowing these techniques About Evasion Tactics

  4. Evasion Techniques can be define by: (1)All the digital techniques

    used by a (mal||soft)ware to avoid, static, dynamic, automatic, human analysis in order to understand its behavior. (2)All the digtal techniques used by a malware to avoid (1) and to evade security solutions, security configuration as well human detection to perform malicious action the longer on the infected machines. (3)Evasion techniques are classified as follow: Anti-Sandboxing, Antivirus Evasion, Anti-Debugging, Anti-Monitoring, Packers, Anti-Disassembly, Process Injection, Network Evasion, Obfuscation (encoding, encryption…), Morphism, Anti-Forensic, Anti-MachineLearning.

  5. Evasion Techniques appears in most samples

  6. Cybercriminals make money by selling evasion tools

  7. Usecases

  8. Evasion Techniques Classification

  9. • Unprotect Project is an open platform dedicated to Malware

    Evasion Tactics and Techniques. • Previous version: • Wiki • CheatSheet • Tool to fake sandbox • New version: • Online platform to detect common Evasion Techniques during first assessment. • Evasion Techniques classification to allow malware researchers to better understand the different techniques. Introducing Unprotect Project

  10. • http://unprotect.tdgt.org Unprotect Project: Previous Version

  11. • A tool to fake sandbox: • Fake registry keys

    of Vmware/VirtualBox/Qemu • Fake processes (VmwareTray.exe, VboxService.exe, wireshark.exe...) • Fake directories (Wine, Vmware Tools, VirtualBox Tools...) • Fake files (vmouse.sys, vboxhook.dll, VboxGuest.sys...) • Fake MAC address related to Vmware or VirtualBox Unprotect Project: Previous Version https://github.com/fr0gger/RocProtect-V1

  12. • Unprotect Project is composed of two main parts: Unprotect

    Project: New Release The online platform including the classification and the analysis engine A python tool for first malware assessment

  13. Description of the functionalities Unprotect PE Summary VT Report Exploit

    Mitigation Packer Detection Anti- Sandbox Anti- Debugging AV Evasion Anti- Disassembly Process Injection Obfuscation Additional Info

  14. • Provide global information about the analyzed PE. PE Summary

  15. • Provide global information about the VT report as well

    a link to it. • Provide information about Exploit Mitigation Flags VirusTotal Report / Exploit Mitigation

  16. • Provide information about potential packer and entropy Packer Detection

  17. • Provide information about potential packer and entropy Anti-Sandboxing •

    Provide information about potential packer and entropy Anti-Sandboxing • Provide information about potential packer and entropy Anti-Sandboxing • Provide information about potential packer and entropy Anti-Sandboxing

  18. • Provide information about anti-debugging tricks and API. Anti-Debugging

  19. • Detect anti-AV tricks used, as well embedded certificate. Anti-AV

  20. • Provide information about potential anti-disassembly tricks. Anti-Disassembly https://media.blackhat.com/bh-us-12/Briefings/Branco/BH_US_12_Branco_Scientific_Academic_WP.pdf

  21. • Provide information about process injection tricks/API. Process Injection

  22. • Provide information about potential data obfuscation, and algoritms used.

    Obfuscation

  23. • Provide network information IP, URL. Network information

  24. • Provide additional information (resources, wallet address, user yara-rules). Additional

    Information

  25. • The online platform provide information about evasion techniques. Online

    Platform

  26. • The standalone tool is used to assess malware directly

    from the CLI. Standalone Tool https://github.com/fr0gger/unprotect

  27. • Recode in Python 3 (in progress) • Deploy extra

    modules (Machine Learning in testing) • Improve server resources • Development of the MITRE ATT&CK Roadmap

  28. Thank You Thomas ROCCIA | Security Researcher, Advanced Threat Research

    @fr0gger_