Integgroll now draws some parallels between the physical and cyber world while depicting the hypothetical struggle needed for refining antivirus efficiency.So, why am I here? I’m going to tell you a little story about a pentest I was on a little while back. What ended up happening with this pentest is I was working in a company through the organization, and I noticed that they had an ESX server that was open. So I went ahead and downloaded vSphere and did all that stuff so I could actually interact with it. I typed in a default password, it worked. I saw that they had a bunch of VMs running; I saw that they had a VM template that they were using, so I downloaded the VM template, set it up locally, booted BackTrack on top of it, took the hash out of it, and then just started passing the hash to the admin hash that they had left on the box, because they didn’t change it, to all those different boxes.
So, while the authentication was properly working, it actually had Symantec Endpoint Protection set up that was really well set up. While I sat there and tried a bunch of different AV bypass methods that I had, it took me a little bit to realize what it was picking up on, and it wasn’t necessarily some of the antivirus. It was actually the point where my memory was going from just being writable or readable or rewritable to where it would be executable. And whenever it did that, it would just delete the payload that I had loaded. So, that would go away and I would no longer have that there.
Conveniently, to do any sort of memory injection, especially with things like Metasploit, to get Meterpreter on there, you kind of need to have executable memory to make it really easy. So it’s not something that could just magically have it happen. I did eventually find a solution for this, but I will talk about it later on, because everything else that I did, I beat my head against the wall for hours long, and it made me very embarrassed, because I got the chance to steal the entire operating systems from them, but I didn’t get the chance to actually get in there and really do what felt like the last couple of minutes.What that really means for us is that antivirus is getting a little bit better over time. It’s not going to happen today or tomorrow. I really think that Meterpreter’s days are numbered. There’s going to come a time where the antivirus industry is going to have it essentially nailed down, because Meterpreter, as awesome as it is, doesn’t change a whole lot. Most of the new stuff that comes into Meterpreter gets thrown as additional modules that you load after the fact, and not the actual delivery system. And so, that’s one of the things that we’re going to have to work around. We don’t really have an option of doing it forever, so we’ve got to do something about it. Now, what do we do here? You’ll notice that this (see right-hand image) is a picture of the Alan Parsons Project, and I have this here because they have a song Time, and I think the time flows like a river, much like they do. So I like to look back whenever I’m thinking about things like that as: “How can I solve today’s problems with yesterday’s solutions?” And the thing that I find about it is, if we look back to the Labor Movement we can actually find a really good solution for this, as I think. For example, back then they were dealing with problems of having really long hours, shitty pay, they didn’t have any job security, and the work they were doing was pretty damn hazardous. And it wasn’t a good work environment for anyone. These people were getting screwed over, while the people who were up there were making big money and didn’t really care about it. So people ended up banding together on this, and I can imagine the first conversation that actually happened with this, where a guy walks into the office and he is looking at his boss, he’s got his hat in his hand, if he can afford a hat, so that’s an imaginary hat; and he’s talking to his boss. He’s like: “Hey, listen, we’ve got to do something about this, I’m not making enough money to actually survive here, and that’s not a good thing, because I’m never home to see my family. Why do I have any of this? Why am I working this job?” And his boss kind of looks at him and says: “Yeah, you’re fired.”
So, that doesn’t really help him at all. He’s got this organization that wants nothing to do with him, much like I think the antivirus industry is with our industry; and I’ll explain that in a little bit. And so, what ended up happening is everyone had to get together on this, so they had to get as many people as they could into collective bargaining groups, basically, unions, to actually go to their bosses all at once and say: “Listen, you’ve got, effectively, two choices, and they are either a) we stop the work here, or b) you guys actually listen to what we’re saying and help to adjust some of these things.”
And it didn’t happen all overnight. If you look back, there were a bunch of different laws that happened. For example, some of them that some of the fat cats had made collective bargaining illegal for a while. Unions weren’t legal. And then all of a sudden they were back, and then things started to trickle after that, slowly. So they got it reduced down from like a 16-hour day to a 12- and then gradually to 10-hour day, and then they got the minimum wage thrown in. And then they got the 10-hour day thrown back to an 8-hour day, which is where we are now – well, not in this industry, but that’s because those extra hours we do on top usually – we just love it.And so, while this whole time it’s not all sunshine and rainbows, they still got some things to do and move in a direction that really helped them out, and also helped everyone out at that point, because the whole economy of the world actually went up like that – when Britain did it, when we did it, everything went out better.
Read previous: Stop Fighting Anti-Virus: Pentester’s Viewpoint