Bad binaries go to heaven

Intro

Companies spend hundreds of thousands of dollars with defensive security products (SIEM, EDR, IPS, IDS, HIDS, Forensic tools, Next generation Firewalls, etc.) and another hundreds of thousands hiring what they think can be the best talent to face cybersecurity bad actors. The summatory of all this can achieve unbelievable amount of money. Can you think about that number in Fortune 50 companies?

On the other hand, stop one minute and think how much can cost to penetrate their network: nothing. Or may be yes, if the attacker is an actor with no idea of how to do it and buy the “ingredients” in the dark net (or paying its neighbour).

Although a company spends big amount of money in cybersecurity products there will always be someone able to bypass them. In some cases will be easy and in anothers will be harder, but the thing is that with good skills, enthusiasm and commitment all is possible (even for our average joe!).

And what about that expensive products?

Over the last couple decades Antivirus solutions have done some awesome evolution. However, it seems motivated people who never stop investigating and learning have found ways to bypass all that new technologies used to catch bad files.

Firstly we had that called “signature detection”, easily bypassed modifying a single byte from the file. After that, comes heuristic detection developed to overcome the inconvenients of signature detection. In this case we have static analysis too, but more focused on the structure (pattern) of the file and suspicious characteristics.

Over the years new detection technologies were developed in order to focus on the binary behaviour once executed. This technique evolved up to the point where in terms of miliseconds the bad file is executed in a sandbox, an absolutely isolated cloud environment (spoiler: this happens super fast and for this reason can affect negatively to the results).

Hands on part only will come in part II. The first techniques are quite popular and easy to find info.

Moving to some more technical field

Signatures and Heuristics

As said before, the first AV technolgy was based on hash signature of the file, kind of fingerprint. Also as said before, that method is easily bypassed by changing a single byte from the file, so it has not much sense to rely security to a full a list of hashes.

The problem (in terms of bypass AV) with signature based detection is when the signature is based on specific bytes along the strings of the file. In this case, changing a single byte may not be the solution. What can we do then? Split the binary, find the specific bytes detected by AV and do some modification to them in order to change the signature! But then… a major harm can happen: if some specific byte is changed then can affects negatively the whole execution of the binary.

Dsplit to the power! This is an old tool that we can use to split the binary in many pieces. We are going to start splitting in big parts and slowly will split that parts into smaller to find the exact bytes detected by AV signatures. While splitting the binary, we are going to scan them with opensource tool ClamAV. NOTE: Dsplit is not available now, the alternative is called Find-AVSignature.

Encoding that “bad” file

Well, the truth is that here we have two possibilities: encode only the shellcode or encode all that bad file. This technique has some inconvenients (although it can solve the last point detection points, of course):

• Encoding do not affect to behaviour. So if you are in front of a modern EDR, only encoding the binary probably will not have much effect.
• Metasploit encoders are soo popular and known. Do not lose your time encoding a .exe payload generated with Metasploit. You can also try with different template (notepad.exe, calc.exe…) and experiment a little bit.
• All encoding requires decoding, and to decode we need a patron/routine. Again these routines are quite popular and probably with high detection ratio.

Have to say that we should forget to encode any 32 bits shellcode, they are too popular. On the other hand, 64 bits are not so popular so may be we have an advantage here.

Interesting part starts here

What about doing some hands on and write our own code? This is the best way to bypass signature, heuristic and behaviour detection mechanisms. Even using meterpreter, the swiss knife of the sessions handler.

What is an API?

You can develop an application in several flavours (languages), but what they will have in common will be the use of APIs. That APIs are simply pre-built functions offered by Microsoft (when refering to Win32 APIs) and accessible through Dynamic Link Libraries. There are lot of APIs, but in the bad files world there are some common ones as:

Let’s stop here for today! On the next part we are going to go deeper in this specific topic.