00:03
>> We're going to do another packing example.
00:03
We looked at the illusion bot strings
00:03
before and after packing.
00:03
[NOISE] We're going to look
00:03
>> at the antivirus detections,
00:03
>> and we're going to look at the bot's PE sections.
00:03
A good way to get a feel
00:03
for antivirus detections
00:03
>> is a site I've mentioned before,
00:03
>> called virustotal.com and it's
00:03
a meta antivirus scanning engine.
00:03
It has many different antivirus products
00:03
scanning a single file to see if any of them
00:03
trigger on that file and
00:03
>> that's useful for us, at least.
00:03
We can upload our original
00:03
botbinary.exe and someone in all likelihood has
00:03
already uploaded it in had
00:03
>> it analyzed and we can see it
00:03
>> was originally in 2007 and we can say reanalyze,
00:03
have it rescaned, but it doesn't really matter.
00:03
We can take a quick look
00:03
at pretty much everything has triggered off
00:03
of it except for the last few for whatever reason,
00:03
and they all classified as ST bot or
00:03
generic Trojan or IRC bot or whatever else.
00:03
It's known to be bad and people have even
00:03
said that it's really
00:03
bad and someone posted that
00:03
new texts that we saw in the last video,
00:03
and we can definitely see that it's a malicious file.
00:03
Now, what about the pact exe?
00:03
I haven't done this before,
00:03
so I don't know if someone's already
00:03
packed it and uploaded it and analyzed it,
00:03
but we'll see how many detections it's gotten.
00:03
It's also important to note that this is not
00:03
a good indicator of whether a file is truly malicious,
00:03
because a lot of these antivirus engines
00:03
are turned up pretty high in their
00:03
>> terms of sensitivity.
00:03
>> I'm not going to name the product,
00:03
but I've seen one antivirus company always alert
00:03
on my Metasploit executables,
00:03
even though in the real-world,
00:03
this antivirus software alert on anything before.
00:03
[LAUGHTER] They tend to tweak
00:03
their products to make it look
00:03
good in terms of detection.
00:03
VirusTotal makes with these companies is
00:03
that the antivirus companies will
00:03
scan a file and alert if they detect it as something.
00:03
It's almost a competitive
00:03
disadvantage because they are flagging
00:03
something that's malicious that
00:03
the other antivirus vendors may not know about.
00:03
The flip side of this is other antivirus vendors
00:03
know that this file is suddenly
00:03
malicious and they can mark it malicious as well.
00:03
But what came out recently,
00:03
we can see that a number of
00:03
products did not detect our packed file.
00:03
If we were a malicious actor, ideally,
00:03
this would be down to zero and a lot of packers on
00:03
the underground will advertise as fully undetectable,
00:03
which they call fud,
00:03
F-U-D, and it's not something they can guarantee.
00:03
But some packers are better than others
00:03
and since UPX has been around for so long,
00:03
either most consider it
00:03
malicious or most antivirus companies know how
00:03
to unpack it and scan its insides.
00:03
If we use another packer,
00:03
it might get even lower detection rates,
00:03
and if we use the packer on top of a packer,
00:03
it may even get lower rates.
00:03
But it did definitely take down our score
00:03
even though this binary,
00:03
this executable is a really old Trojan,
00:03
even though UPX is a really old packer,
00:03
it was still able to allude some antivirus engines.
00:03
As I was mentioning earlier what came
00:03
out in the news recently was that
00:03
some antivirus companies were purposely
00:03
marking benign files as malicious on
00:03
watching other antivirus companies just copy them.
00:03
It's, I don't know how to say,
00:03
poisoning the watering hole, if you will.
00:03
Here in our Kali machine, we have,
00:03
I just open two terminals here and I browse to
00:03
the malware analysts
00:03
>> cookbook code website, Google Code.
00:03
>> A lot of it is pretty old.
00:03
It's 2012 is when most of this was
00:03
released by [inaudible] several of
00:03
the scripts still useful and since they're open-source,
00:03
a lot of people have improved upon them
00:03
and made significant improvements.
00:03
But I just want to demo something here and that is,
00:03
we can download this script
00:03
>> and use it to take a look at
00:03
>> the sections of a PE file
00:03
pretty easily with the code they've released.
00:03
Typically, if I'm just downloading someone's script,
00:03
I'll take a quick look at it,
00:03
make sure it's not doing something obviously malicious,
00:03
but then I'll also make sure I
00:03
have the right dependencies.
00:03
I'll copy that and paste this,
00:03
make sure I can import all these
00:03
libraries, there's no issues.
00:03
Import this and there's no issues
00:03
because I already have the PE dependency.
00:03
which most people don't by default,
00:03
the most popular Python package installer,
00:03
it says it's already installed and I say, great.
00:03
I'm going to look for an executable on Kali,
00:03
an exe file of which there are plenty.
00:03
I'm just going to do a locate command.
00:03
Find would probably be faster but
00:03
locate is simpler to use, in my opinion.
00:03
We find plenty of very useful Windows executables like
00:03
the netcat version for Windows,
00:03
exe to bat, Windows Credential Editor
00:03
, so on and so forth.
00:03
I'm going to take one of these,
00:03
let's say wget, let's take netcat.
00:03
A lot of antivirus companies will alert on netcat
00:03
because it's pretty easy to just open up a port
00:03
and start listening or
00:03
make a pretty rudimentary backdoor.
00:03
I'm going to copy it to the desktop.
00:03
I just saved the PE scanner and I
00:03
just downloaded or copied over netcat
00:03
and I'm going to run
00:03
the script by typing in Python scanner.
00:03
Let's see, I can make it.
00:03
>> I'm going to specify and c.dxi.
00:03
>> This Python scanner or
00:03
the PE scanner will go through and say,
00:03
"Okay, what's this file? What's the MD5?
00:03
Sha-1? When was it compiled?"
00:03
It marks it as suspicious
00:03
because it's 1998 and
00:03
that's pretty old for an executable.
00:03
the code checking algorithm
00:03
or basic corruption checking,
00:03
not as good as a hash,
00:03
but it's just basic checking to see if
00:03
anything was corrupted wall on disk,
00:03
because hard drives use to
00:03
fail a lot more than they do now.
00:03
We can see the sections here and I want you to
00:03
take note of the virtual size versus the raw size.
00:03
The raw sizes, how big is it in the file.
00:03
This usually aligned to certain byte value and it
00:03
has pretty rounded up
00:03
numbers and we can see here that says,
00:03
"Okay, I need this much memory to
00:03
run this code in this section.
00:03
I need this much memory to access this," etc.
00:03
We can see the entropy values
00:03
are right here on the right.
00:03
It goes from one byte to another to
00:03
another to another to see how much difference
00:03
is between the bites since you
00:03
UPX has been around for so long and it
00:03
stands for the Universal Packer compressor I think.
00:03
It is also ported to Linux and
00:03
>> can pack ELF executables.
00:03
>> But more importantly, we can use
00:03
it to pack Windows executables as well on Linux.
00:03
I'm going to say upxnetcat.exe.
00:03
It opened up the netcat file,
00:03
compressed it, and then resaved it.
00:03
We also go a 50 percent compression rate.
00:03
Again, we shrunk the binary to half its size.
00:03
Let's run our little PE scanner script again.
00:03
>> We can see that again,
00:03
the hush has changed,
00:03
the size has changed,
00:03
the date stayed the same.
00:03
UPX was sure to preserve that.
00:03
changed and it goes into a weird section.
00:03
The script has marked that as suspicious.
00:03
not correct and I think that's suspicious.
00:03
But more importantly, here
00:03
down where we can see
00:03
the virtual size versus the raw size,
00:03
the raw size is zero.
00:03
There's no code on disk.
00:03
There's no nothing on disk in the file.
00:03
But it's still requiring a lot of memory.
00:03
This is why it's considered suspicious.
00:03
there's no real difference
00:03
between the raw size and virtual size,
00:03
but it has a very high entropy.
00:03
Here the virtual size and
00:03
the raw size are too big a
00:03
difference and the entropy is fairly low,
00:03
so this is not suspicious.
00:03
This is probably where some of our unpacking code is.
00:03
the entry point is at
00:03
UPX1 so it's going to
00:03
begin it's execution in this section.
00:03
Whereas before, it would have began
00:03
it's execution in the.text
00:03
section which is fairly common.
00:03
This is one of the first scripts that I run on
00:03
an executable just to get an idea of if it's packed,
00:03
especially if I don't see any strings right away.
00:03
Another tool that is very useful is PEiD.
00:03
PEiD is no longer developed or really maintained,
00:03
but it's free to download and use.
00:03
I'm going to invert this machine ready to be infected.
00:03
PEiD has a small database of packers.
00:03
There are people who have collected
00:03
very large databases of packer signatures.
00:03
Some false positives but overall,
00:03
it's a pretty good way to just get an idea
00:03
for whether a file is packed or not.
00:03
We have a fresh copy of our ready to be infected VM.
00:03
I'm going to drag and drop over Patty,
00:03
simple SSH client and
00:03
can actually do a lot more than that.
00:03
PEiD, which as I described earlier
00:03
is a bit old but still useful tool
00:03
and a lot of people still
00:03
have PEiD databases that
00:03
are fairly large and
00:03
have a lot of signatures for different Packers.
00:03
If we just drag and drop an executable like
00:03
we can see that it's
00:03
using Win32 GUI subsystem compiled with
00:03
Microsoft Visual C++ and
00:03
has the entry point of the.text section.
00:03
We can actually look at
00:03
the other sections to see what's there.
00:03
The virtual size and
00:03
the raw size so it can visually
00:03
>> inspect where our script
00:03
>> was telling us and we can actually even have
00:03
a mini disassembler show us some interesting stuff.
00:03
Not as good as either, but still it's useful sometimes.
00:03
on to the desktop and to upx.exe.Patty.exe,
00:03
now we have packed about 50 percent
00:03
again and if we execute Patty
00:03
>> it executes just the same.
00:03
>> It's unfolding in memory, is decompressing,
00:03
it's doing its thing and executing the original code.
00:03
That's very useful. Let's run PEiD again.
00:03
Nothing found. Scan it again.
00:03
But usually it will detect that,
00:03
that is UPX, but there's nothing detecting right now.
00:03
Probably because I haven't really
00:03
provided it with a good database.
00:03
The database is here. That's the reason
00:03
why is there's no user.db in database.
00:03
I'm just going to Google PEiD signatures.
00:03
There's quite a few of them out there.
00:03
I'm just going to go with a big one.
00:03
Contains characters in Unicode.
00:03
I hope they don't mess up the database.
00:03
But again, I'm just trying it.
00:03
Nothing found about the database is a bit messed
00:03
up because there were Unicode characters.
00:03
I'm going to do a save as.
00:03
I'm just going to transfer the file manually.
00:03
>> I'm just going to replace it and rerun PEiD.
00:03
There's something wrong with that database.
00:03
I'm going to use a different database.
00:03
Apparently the other one from
00:03
[inaudible] isn't very good.
00:03
Nothing found. It is not detecting UPX.
00:03
That is the first time I've ever seen that.
00:03
There's a signature for it,
00:03
4.6 and probably above.
00:03
It's looking for that and more signatures.
00:03
Let's see. What's the version of this UPX?
00:03
Since UPX is open source,
00:03
a lot of people have taken
00:03
that source code and modified it more
00:03
to use in their own projects.
00:03
If we look at our just packed Patty,
00:03
there's no signatures in the database we grabbed
00:03
from the Internet for the newest version of Patty.
00:03
Although I expected there would be.
00:03
we can see that there is a signature for that because
00:03
the UPX program itself was packed with UPX 2.93.
00:03
Our signature database definitely is
00:03
working that we just grabbed off the Internet.
00:03
But it hasn't been updated for the newest version.
00:03
As we saw in our demonstration before packing,
00:03
we could see lots of strings in our illusion bot.
00:03
We could see that almost everything was
00:03
triggering off of some detections.
00:03
A lot of AV vendors were triggering off
00:03
of signatures that they
00:03
had made a long time ago for illusion bot,
00:03
had it's typical PE sections.
00:03
After packing, there were almost no strings.
00:03
There were fewer antivirus protections
00:03
and they had completely different sections.
00:03
I did a quick little thing showing you PEiD.
00:03
Almost every hour analyst has
00:03
PEiD and they keep their signatures updated.
00:03
I typically don't rely on such things.