Packers Part 2

Video Activity

In this module, we'll understand more on packers. We'll demonstrate the visual changes in a malware code when a packer has been included versus the one with no packer. We'll use Cantor Dust to display the visual changes.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 10 minutes
Difficulty
Advanced
CEU/CPE
9
Video Description

In this module, we'll understand more on packers. We'll demonstrate the visual changes in a malware code when a packer has been included versus the one with no packer. We'll use Cantor Dust to display the visual changes.

Video Transcription
00:03
>> I'm going to show you a little demo /of
00:03
the difference we can see in the code.
00:03
Over on the left here, we have the original bot binary
00:03
from the illusion bot
00:03
that we downloaded from the GitHub page.
00:03
I'm going to copy it over on the right side.
00:03
Over here, I've downloaded
00:03
this program called Cantor Dust.
00:03
It's made by a researcher,
00:03
he works in the national labs.
00:03
His talk at Black Hat, well,
00:03
he releases tools actually really, really good.
00:03
But he said he'd release
00:03
more than just this demo and he never did.
00:03
I don't know what his deal is,
00:03
but it makes really pretty pictures and it
00:03
allows us to quickly see what's going on.
00:03
We can take our original binary or bot.
00:03
We can drag it over here and we can say,
00:03
this thing, we can do it in
00:03
>> different coordinate systems.
00:03
>> [inaudible] It definitely has some patterns,
00:03
some lines in it that you can see.
00:03
It definitely has some data
00:03
right over here in the corner.
00:03
You can see these smaller cubes.
00:03
That is ASCII.
00:03
Those are the strings that we typically see.
00:03
Over on the left,
00:03
we can see these two columns of green.
00:03
That's all fine and good.
00:03
It gives us some clear idea
00:03
of the type of data that's in there.
00:03
It's basically showing us the bytes.
00:03
We have our original bot binary here.
00:03
I'm going to make a copy of it.
00:03
I'm going to pull up a command prompt,
00:03
[NOISE] CMD, it's in this directory.
00:03
I'm going to download a program UPX.
00:03
Like I said, one of
00:03
the oldest packers most commonly used.
00:03
I'm just going to download it for Windows here.
00:03
I've put the program right here.
00:03
I'm going to type
00:03
upx.exe and I'm going to pack the binary copy.
00:03
It does this little banner.
00:03
Then it says it edited this file,
00:03
it compressed the size by 41 percent.
00:03
That's nearly half of the size it was before.
00:03
I'll just rename this file to packed.
00:03
[NOISE] I'm going to run Cantor Dust again.
00:03
This was our original bot binary,
00:03
and this is our packed version.
00:03
You can see there's really no structure to it.
00:03
It's a lot of randomness.
00:03
There is really nothing there that we
00:03
can point and say, oh,
00:03
I can see that there's some structure to this file
00:03
that tends to be a cluster of
00:03
bytes that are very similar over here.
00:03
We can't really make much of it.
00:03
It's because it's compressed as high entropy.
00:03
Also, I'll show this in the future.
00:03
But if we run strings on our original binary,
00:03
we can see that there are plenty.
00:03
The user agents,
00:03
the obfuscated strings are
00:03
encoded pass, the function calls.
00:03
If we run the same strings
00:03
>> command on the packed binary,
00:03
>> we see that there are hardly any.
00:03
There's a few functions that it needs
00:03
to resolve the other functions dynamically.
00:03
There's probably a reference to UPX in there somewhere.
00:03
[NOISE] Yeah.
00:03
UPX explanation point;
00:03
UPX0, UPX1, UPX2.
00:03
These are actually the names of the sections.
00:03
But we'll take a look at that in a bit.
00:03
Just for a test,
00:03
we can look at the hashes,
00:03
SHA-1,
00:03
MD5, MD5.
00:03
They are indeed different.
00:03
All it takes is one bit to be flipped to generate
00:03
a new hash or to derive a new hash.
00:03
Visual reverse engineering might
00:03
take hold in the future,
00:03
but I don't see it happening just yet.
00:03
The tools aren't quite there,
00:03
but I definitely recommend this talk.
00:03
Even if he didn't really
00:03
release his tool that he said he was going to,
00:03
it's still pretty inspiring to see what's
00:03
possible with just visually inspecting binary.
Up Next