00:04
we're gonna do another packing example. And we looked at the illusion bought strings before and after packing,
00:13
and we're gonna look at the Avie antivirus detections
00:19
and we're going to look at the bots P E sections.
00:24
So a good way to get a feel for anti virus detections
00:29
is ah, site I've mentioned before Cold virus total dot com
00:37
anti virus scanning engine.
00:40
So it has many, many different antivirus products scanning ah, single file to see if any of them
00:54
and thats useful for us at least
01:15
so we can upload our original bought buying air any dot t x c.
01:22
And someone in all likelihood has already uploaded and and had it analyzed. And we can see
01:30
it was originally in 2007
01:34
reanalyzed like have it re scanned, but
01:38
it doesn't really matter. Weaken. We can take a quick look at it.
01:42
Pretty much everything has triggered off of it.
01:46
And, um, except for these last few, for whatever reason.
01:51
And they all classified is Steve Ott are generic Trojan Are
01:57
IRC bought or whatever else and it's known to be bad, and people have even said that is
02:04
you know, it's really bad. And
02:06
someone's posted that mu text that we saw the last video, and, uh,
02:14
see that That's it's ah, malicious file.
02:16
Now what about the pact? E x e.
02:25
I haven't done this before, so I don't know if, uh, someone's already packed it and uploaded it and analyzed it.
02:35
we'll see how many detection is that? Scott?
02:39
it's also important to note that this is not a good indicator,
02:46
a file is truly malicious,
02:49
because a lot of these anti virus engines are turned up pretty high
02:55
in the terms of sensitivity.
03:01
you know, I'm not going to get the product, but I've seen one antivirus company always alert on my medicine. Floyd executed Bols.
03:12
even though in the real world
03:13
I've never seen this antivirus software alert on anything before,
03:20
they tend to tweak their their products to make it look good
03:24
in terms of detection
03:31
the deal that virus total makes with these companies is that
03:36
anto the antivirus companies will will scan
03:42
if they detect it as something so it's almost a competitive disadvantage because they're flagging something. It's malicious that the other antivirus venders may not know about,
03:53
and the flip side is, and other anti virus vendors,
03:57
uh, no, that this file something malicious and making market malicious a swell. But what came out recently,
04:03
we can see that a number of products did not detect or packed file.
04:12
you know, if we were a malicious actor, ideally, this would be down to zero.
04:15
And a lot of packers on the underground will,
04:19
uh, advertise as fully undetectable, which they call food if you d
04:28
and it's not something they can guarantee,
04:31
but some packers are better than others. And since you PX has been around for so long, either
04:38
most considerate, malicious or most antivirus companies know how to,
04:44
and scan its insides.
04:47
If we use another packer, it might get even lower detection rights. And if we used a packer on top of a packer,
04:55
it may even get lower rates. So,
04:59
but it did definitely take down our score. Even this, even though this binary this excusable is really old Trojan. Even though U. P X is a really old packer, it was still able to elude,
05:13
some antivirus engines as I was machine earlier. What came out in the news recently was some antivirus companies were purposely marking benign files as malicious on virus total and watching other antivirus companies just copy them. And, uh,
05:35
I don't know how to say poisoning the watering hole, if you will.
05:42
here in our Callie machine,
05:47
I just opened two terminals here
05:49
and eyebrows, too. The Malware Analyst Cookbook
05:54
Ah, code website Google Code. A lot of it is
05:58
pretty old. It's, ah, 2000
06:00
twelves when most this was released by find So several of the scripts still useful. And since they're open source, a lot of people have improved upon them
06:11
and made significant improvements. But I just wanted demo something here,
06:17
we can download the script and use it to take a look at
06:24
sections of a P file pretty easily with us. The code they released. Typically,
06:31
if I'm just downloading someone script, I'll take a quick look at it. make sure it's not doing something obviously malicious. But then also make sure I have the right dependencies.
06:42
pasted to make sure I can import all these libraries. There's no issues.
06:48
and there's no issues because I already have the p e
06:57
which most people don't by default, you conduce. You pit the most popular python
07:12
And it says it's already installed. And I say, Great.
07:21
I'm going to look for an executed A ll
07:29
of which there are plenty.
07:30
So I'm just going to, ah, locate command.
07:33
Fine would probably be faster, but locators simpler to use, in my opinion.
07:42
of very useful windows execute pal's like the Net cat version of, uh,
07:51
uh, for for Windows. You actually took that? Uh, you know, Windows credential editor s so on so forth.
08:01
I'm gonna take one of these. Let's say w get that's Ah, simplistic. That cat.
08:11
A lot of anti virus companies will alert on on that cat because it's pretty easy to just open up a port and,
08:20
uh, start listening or make a pretty rudimentary back door.
08:24
So I'm going to copy it to the desktop.
08:28
So I just saved the peace scanner, and I just
08:33
download or copied over in that cat.
08:37
And, uh, I'm gonna run this script
08:48
and on a specify and see Dr Sexy.
08:56
this python scanner or the P E scanner will go through, say, Okay, it was this file, um, must empty five, shot one. When was it compiled
09:07
and says it marks is suspicious because 1998. That's pretty old for an executed all, um,
09:20
the code checking algorithm. Our basic corruption checking,
09:26
um not is not as good as a hash, but it's just basic checking to see if anything was corrupted while all on disk,
09:35
because hard drives usedto fail a lot more than they do now.
09:37
And we can see the sections
09:43
And I want you to take note of, um, the virtual size
09:46
versus the raw size, the raw sizes. How big is it in the file? And this usually aligned to certain bite, value
09:56
and So has your pretty brown did up numbers, and we can see here that says, Okay, I need this much memory to run this code in this section. Um,
10:07
I need you know, this much memory too
10:11
accesses, et cetera, et cetera,
10:13
And we can see the entropy values are right here on the right. So it goes from one bite to another to another to another to see how much difference there is between the
10:24
Tween the bites. Since u p x has been around for so long and it stands for the universal.
10:37
it ah is also reported toe Lennox and cannon pack you LF executed als er
10:43
But more importantly, we can
10:46
use it to pack windows excusable zzzz well on Lennox.
10:52
So I'm gonna say u p x,
10:58
So it opened up on that cat file, compressed it and then re saved it.
11:03
So we also get ah, 50% compression rate.
11:09
So again we shrunk the binary toe half of its size.
11:20
P E scanner script again.
11:24
And we can see that again. The half has changed the size has changed.
11:28
The, uh, date state the same U p x was sure Thio preserve that
11:41
has changed and it goes into a weird section. So, uh, the script has marked that as suspicious seer sees again, Uh,
11:56
correct. And so I think that's suspicious. But more importantly,
12:01
here, down where we can see the virtual size versus that Ross eyes the raw sizes. Zero. So there's no code on this. There's no nothing on disk in the file,
12:11
but it's still requiring a lot of memory.
12:16
And this is why it's considered suspicious.
12:20
Ah, here we can see. Ah,
12:24
there's no real difference between the raw size of virtual size, but it has a very high entropy,
12:28
so that is suspicious.
12:31
So here the virtual size and the Ross eyes aren't too big a difference, and the entropy is fairly low. So this is not suspicious, and this is probably where are
12:45
so are unpacking. Code
12:48
so we can see the BP. The entry point
12:54
is that you PX one So it's gonna begin its execution in this section,
13:01
uh, it would have began its, uh,
13:03
execution in the not tech section, which is fairly common.
13:11
it's it's useful. Ah, this is one of the first scripts I run on an executed. Well, just just to get an idea if it's packed, especially if I don't see any strings right away.
13:22
Another tool that is very useful
13:28
And P I. D is no longer developed or really maintained, but free to download and use.
13:37
I'm gonna versus machine ready to be infected.
13:48
soapy Eddie has a small database of packers,
13:52
and there are people who have collected very large databases of Packer signatures
13:58
uh, some false positives.
14:01
And but overall, it's a pretty good way to just get an idea for,
14:07
uh, whether a file was packed or not.
14:11
Okay, so we have a fresh copy of Are Ready to be infected. Bm
14:16
I'm a dragon. Drop over putty.
14:22
A sage client and I can actually do a lot more than that.
14:30
which is? I described earlier eyes a bit old, but still a useful tool. And a lot of people still have,
14:39
p i d databases are fairly large
14:43
and have a lot of signatures for different packers.
14:46
So if we, uh, just drag and drop inexcusable, like putty
14:50
onto P i d. We can see that it's using Ah,
14:56
win 32 subsystem compiled with myself visuals, c++ and, um
15:03
no. Has the entry point of the text section We can actually look at the other sections to see what's there. The
15:11
the virtual size, Um, and the raw size
15:16
s so we can kind of visually inspect where our script was telling us, and we can actually even have ah, many disassemble er kind of
15:22
show us some interesting stuff.
15:26
Um, not as good as Ida, but, uh, still, it's kind of useful sometimes.
15:50
Yeah. See, putty that Yuxi
15:54
Now we have packed plenty. Ah, about 50%. Again
16:00
on if we execute buddy. Excuse. Just the same. So, uh,
16:04
it's unfolding and memories decompressing. It's it's doing its thing and executing the original code
16:11
that's very useful. Must run p i d. Again.
16:26
usually it will detect that. That is U P X. But there's nothing detecting right now. Probably because I haven't really provided it with a good database. The databases here, huh? Well, see, that's the
16:37
That's your reason wise,
16:41
user, not DVD database.
16:44
So I'm just gonna Google
17:17
on. And there's quite a few of them out there.
17:21
I'm just gonna go with, uh,
17:32
Contains characters and Unicode.
17:37
Let's up the database.
17:38
But again, I'm just kind of
17:45
Nothing found about the databases of it messed up because
17:49
they were Unicode character. Someone to ah, save as
17:57
I'm just gonna transfer the file
18:07
I'm just gonna replace it
18:15
There's something wrong with it.
18:18
Something wrong with that database. So I'm gonna use ah, different database.
18:22
Charlie Owen from sand isn't very good.
18:33
Gonna vanish saying replace it
18:38
because the sands ones wasn't very good.
19:07
Nothing found, huh is not attacking ups. So is, uh,
19:12
the first time I've ever seen that
19:19
there's a signature for it
19:22
for 0.6 and probably above.
19:26
I was looking for that. Yeah, and more signatures and more signatures
19:47
since it was a version of this u p x
20:04
Since u p s u p x is open source. A lot of people have taken that source code and modified it Maur to, ah
20:18
to use in their own projects.
21:30
look at our just packed putty
21:33
there's no signatures in the database we grabbed
21:36
ah, from the Internet for the newest version of putty.
21:41
Um, although I expect there would be,
21:51
Buzz, if we grab u p X, we can see that there is ah, signature for that because the U P X program itself was packed
22:03
So our signature database definitely is working that we just grabbed off the internet. Um,
22:10
but it hasn't been updated for the news version.
22:14
So as we saw in our demonstration
22:18
before packing, we could see, you know, lots of strings and our illusion baht. We could see that almost everything was triggering off of some protections are
22:29
a lot of a V vendors were triggering off of,
22:32
uh, signatures that they had made a long time ago for illusion bought and, uh, illusion, but had its typical P E sections. After packing, there were almost no strings. They were very
22:45
there are fewer antivirus detections and had completely different sections.
22:52
And I did a quick little thing showing U P I D
22:56
almost every hour analyst has p i d. And they keep their signature is updated.
23:03
I typically don't rely on