THT DUYURU

chat
ugursuz reklam
takipci
Seçenekler

Rationale of Antivirusses and Crypters

Baphomet - ait Kullanıcı Resmi (Avatar)
Çevirmen
Üyelik tarihi:
04/2020
Mesajlar:
293
Konular:
25
Teşekkür (Etti):
27
Teşekkür (Aldı):
116
Ticaret:
(0) %
4
580
bir Hafta önce
#1
Hello everyone, today i am gonna teach you working logic of antivirusses and crypters with my self expressions that can be true or false. I will use MalwareBytes for example antivirus. Actually it is not antivirus, it is anti-malware and simple.



I will use Quasar RAT for example malware that coded with C#.NET, many of you knows that malware.

+ Managing files and folders.
+ Downloading and uploading files.
+ Managing Task Manager.
+ Operating CMD commands.
+ Webcam and screen shots.

and it contains a lot of features like that.Malware uses reverse shell that means server is hackers computer, client is targets computer. Target connects to hacker with stated IP adress and port.



I am creating a example malware with QuasarRAT, IP adress will be 127.0.0.1 so it will be for local computer, i will try it in my own computer. My malware scanner MalwareBytes Malware and PUP security is open btw.



I saved malware to the desktop as backdoor.exe.



When i scan this with MalwareBytes;



When i run this on my computer;



It shows us backdoor.exes static and dynamic analysis reports.

STATİC ANALYSİS

Static analysis tries to map small sections and variables in the source code of applications to the source code of malicious applications in their databases. If the matching is correct, the application is described as a virus.
To bypass this, we need to encrypt the byte codes of the application. When the crypter application runs, it is our malware that will decode the byte codes and appear in any directory in pure form. İn crypting generally uses encryption methods such as BASE64 encoding technique, RC4, XOR, AES etc. Now lets code scan time crypter for an example.

We are opening a project in a any IDE you want. First, i will code STUB that will compile and carry encrypted codes of virus. Then i will code a binder that integrate the desired bytes into the STUB project and compile it. Here is my STUB project;



Here, the function named AESDecryption returns the byte codes of the encrypted malware by the specified key and IV. Extractor function extracts the specified decoded byte codes to the specified directory. Our directory is hidden in the string variable named "backdoorPath". So it will be extracted to "C: \ Users \ Azad \ AppData \ Roaming \ Backdoor.exe" and the extracted Backdoor.exe will start.

The [KEY], [IV] and [BYTES] points should be considered in the codes. These are not variable and not an input. We will save the codes of this project in a text ******** and save it in Resources in the Binder. Then we will replace the points [KEY], [IV] and [BYTES] and compile them with CodeDom.

I am open new project and i put uncompiled source code to the Resources part.



Now let's go to the code part.



(There is an error in the 36th line of the photo, do not consider it; it is a problem caused by me. It will not effect you.)

In the code, first, program asks the name of the STUB to be indexed when it is compiled, key for AES, IV for AES and the path of the malware that will be crypt. Then, using these values, we edit the Source code that we added to Resources with the Replace function and finally compile our STUB with the Compile function.

Here is the result;



And it came out to the STUB directory named Chrome.exe.



We have to obfuscate this exe now, I will use SmartAssembly for obfuscation... This method makes code that difficult to read.





Now i will use VirusTotal for the scan results. (If you thinking to use it do not send it to sites, that send reports to the antivirusses like VirusTotal.

Original backdoor.exe



Crypted backdoor.exe



As you can see, there has been a big decrease in detection rates, but it will still detect this file when those 50 antiviruses are running. The crypter we do was scan-time.

DYNAMİC ANALYSİS

The occurance reason for this method is that the source code of viruses is encrypted and obfuscated in different ways. In this way, antiviruses cannot detect malware in database matches. That's why dynamic analysis is used in antiviruses. Dynamic analysis analysis registry operations, file-folder operations, process manager operations, network operations and many other processes. Now let's code a run time crypter.

We are opening a project in a any IDE you want. First, i will code STUB that will compile and carry encrypted codes of virus. Then i will code a binder that integrate the desired bytes into the STUB project and compile it. Here is my STUB project;



As you can see, instead of extracting it to the directory this time, we created a child process in the memory of the Run function, and run the bytes resolved with AESDecryption there.

The first parameter of the MethodBase.Invoke function asks where to start the code, we left null because we wanted Main. The second parameter is the parameters of the Main function, it can be edited optionally. This function is designed for .NET executables, you may need to use WIN32 APIs if you want to crypt executable file encoded with another based language. Now, we save these codes in the notepad and paste them into the Resources section in the project that we will open for Binder.



Now let's go to the code part.

In the code, the user first asks the STUB's Key for AES, IV for AES, and the path to the malware that will need to be crypt. Then, using these values, we edit the Source code that we added to Resources with the Replace function, and finally we compile our STUB with the Compile function.



And here is the result;



And it came out to the STUB directory named Chrome.exe.



Now let's make a run time scan;



As you can see, MalwareBytes received a connection to the QuasarRAT server, (the hacker (me)) without any intervention.


How Can We Circumvent the Sandbox

Some antivirus and anti malwares, tests executable files in sandboxes and write them to the log file, according to this log file the antivirus detects malware. Most sandboxes have run times, shut down after a certain period of time and give log. In the past, when we put our application in Sleep mode in virtual areas, the virtual area would see the application as harmless. Later this method became primitive. As a method to overcome this again; We constantly open 2 spaces in the memory, fill in the 1st area and then transfer this 1st field to the 2nd area. So, the sandbox perceives the application as harmless and says "This is doing a lot, absolutely harmless." Here is the example code for this;



Now let's try this for example;

The example that does not run harmless code first, but runs the malicious code directly;



Example that runs the harmless code first and then runs the malicious code;





That was end of my topic. Antiviruses and anti malware can still detect these methods, and if they come up with a powerful or new method, these methods won't work. I suggest coding the type of file to be crypter instead of crypter so it's hard to catch. It is also easy to crypter if crypter is used.


--------------------- Redesign Rebuild Reclaim
Konu Baphomet tarafından (bir Hafta önce Saat 10:09 ) değiştirilmiştir.
Ra, M3m0ry, Neander, Dolyetyus Teşekkür etti.
Ghost Killer - ait Kullanıcı Resmi (Avatar)
Hesap Askıya Alındı
Üyelik tarihi:
01/2019
Nereden:
J İ T E M
Mesajlar:
2.097
Konular:
99
Teşekkür (Etti):
86
Teşekkür (Aldı):
523
Ticaret:
(0) %
bir Hafta önce
#2
good job. thanks.
Ertugrul Bey Teşekkür etti.
"aqua - ait Kullanıcı Resmi (Avatar)
Hunter
Üyelik tarihi:
08/2019
Nereden:
867619
Mesajlar:
666
Konular:
97
Teşekkür (Etti):
1514
Teşekkür (Aldı):
496
Ticaret:
(0) %
bir Hafta önce
#3
Highly appreciated. Simple and nice...
Ertugrul Bey Teşekkür etti.
Dolyetyus - ait Kullanıcı Resmi (Avatar)
Çevirmen
Üyelik tarihi:
04/2020
Nereden:
Sittard
Mesajlar:
343
Konular:
101
Teşekkür (Etti):
91
Teşekkür (Aldı):
203
Ticaret:
(0) %
bir Hafta önce
#4
This is one of the best and useful topics, btw thanks for the translation
---------------------
İyi Günler
Ertugrul Bey Teşekkür etti.
Profesör - ait Kullanıcı Resmi (Avatar)
Uzman Üye
Üyelik tarihi:
04/2020
Nereden:
-Türkistan-
Mesajlar:
1.724
Konular:
184
Teşekkür (Etti):
555
Teşekkür (Aldı):
582
Ticaret:
(0) %
bir Hafta önce
#5
Good job.Thanks.
---------------------



SELAM SANA
EY YILLARI HEBA OLAN GENÇ!



BH80
Reiɴα
Rey


Konu Dolyetyus tarafından (bir Hafta önce Saat 14:09 ) değiştirilmiştir.
Ertugrul Bey Teşekkür etti.

Bookmarks


« Önceki Konu | Sonraki Konu »
Seçenekler