Penetration tester Andy Cooper, when participating in DerbyCon event, shares his perspective of methods for evading the regular antivirus defenses.
So, I was at DerbyCon and I couldn’t get my AV working. Fortunately, Adrian Crenshaw was able to jump in and actually assist me and fix this problem. Anyways, my name is Integgroll and I will talk about stopping your fighting antivirus. It’s something that I am kind of passionate about for some strange reason.I was a systems administrator with a development background. I hate the word or term DevOps – I don’t know why, it just seems odd to me and it doesn’t describe as well I think. So I prefer Administration and Development – it works better. Currently I’m a penetration tester.
I wrote Wharf Whacker, which none of you know what that is. If anyone knows what that is, please raise your hand. Ok, that’s, like, three people. That’s exciting, because Wharf Whacker is the world’s only – if somebody else has written one, I’d love to hear about it – two-factor authentication port knocking suite that is written in Python as a library. You can take it and roll it into anything that you want and actually have a two-factor authentication port knocking for anything, that is written in Python.
I learned not too long after DerbyCon last year that I actually have a single user who’s not me. Somebody emailed me and had me assist them getting this running. I don’t know what they’re doing with it; I don’t really want to know, because if you’re using stuff at that point… I’m also an avid curler. By that I mean that I sport with brooms and big stones, the rocks and all of that fun stuff. I love it; it’s an exciting fun time.I’m also a Luddite. And here is the definition of Luddite that I like to use: it’s “a person opposed to increased industrialization or new technology”. And this quote is actually pretty accurate on this for my opinion on what I am: a small-minded Luddite resisting progress. It’s not like I hate all technology or anything like that – obviously I hate setting up AV stuff.
However, what I mean by that is things like home automation – that scares the shit out of me. I don’t know about you guys, but I don’t want that. Any sort of biometrics – that’s another thing I’m not a fan of. I don’t want that in this world; it’s a terrible idea. But I adhere to new technologies like that, and it makes me kind of cringe a lot. But what it really makes me want to do is take these new technologies and put them into a box, and then put them into another box, mail that box to myself, and then smash it with a hammer.Now to get a little bit into the actual antivirus evasion part of this talk, I’m going to go back a little bit to Fred Cohen here. Fred Cohen did some pretty interesting research about antivirus. In 1984 he wrote a paper about viruses and how they actually affect the world, and different things along those lines. Then three years later he actually goes out and writes another paper and demonstrates that there’s really no way that antivirus can detect and avoid anything and everything that we can write.
Three years after he really starts looking into it, and he realizes that it is a no-win game. It’s not something that you can actually succeed at. And then in 1989, three years later, he writes another paper about it and actually starts writing antivirus programs.
Even though he saw the defeat in it, he realized that it is something that we kind of need as an industry and as everybody, and so it’s something that we need to go with.Now I’m going to tell you the only actual antivirus evasion part of this talk. I’m going to give you the exact secrets to avoiding antivirus.
Then you can start bypassing AV for the rest of time, as long as someone else does not write your code that you wrote, which is why you don’t want to share it or recycle it or anything like that, because usually what AV is picking up nowadays is actual stubs from malware that’s sitting around, other things of that sort.But in realizing all this kind of stuff that is going on, I can’t really just sit down and cancel this stuff out, because, like I said, pentesting is my job. Obviously, Meterpreter is my payload of choice; it’s what I actually like to go with. But the biggest problem on that is that Meterpreter is kind of antivirus’ bitch, in that almost any way that you have of automated through Metasploit without Pro (because I’m cheap), it’s going to get caught by AV. So, if I just go and PsExec across a network, AV is going to pick it up every single time, because it’s so used to it. So I have to set a custom .exe or do anything else, run it through a different program and do goofy things like that. That’s not always the way I like to do it. I would just like to be able to send a payload and have it work, especially while I am on a pentest.
Some of the common bypass tricks on that if you actually want to make that happen is to rewrite the stager on it so that it actually accepts a different way or does it a little bit differently. And then you have all that stuff nowadays that is doing memory injection using some language, that’s, you know, not what they’re expecting. Or somebody’s encrypting and decrypting it on the other side and injecting it through memory that way. Memory injection is really hot right now, for good reason – it works really well and it tends to bypass a lot of antiviruses. However, it’s not always getting caught right now, but I think part of the reason for that is that the AV industry and different companies as a whole are kind of waiting until they have that problem as a whole solved, because they see that as this one thing that once they’ve solved that problem, all of that goes away, and so they’re not hitting on things individually as it gets incremented upon, at least not as much as I’m noticing.