we're gonna do another packing example. And we looked at the illusion bought strings before and after packing,
and we're gonna look at the Avie antivirus detections
and we're going to look at the bots P E sections.
So a good way to get a feel for anti virus detections
is ah, site I've mentioned before Cold virus total dot com
anti virus scanning engine.
So it has many, many different antivirus products scanning ah, single file to see if any of them
and thats useful for us at least
so we can upload our original bought buying air any dot t x c.
And someone in all likelihood has already uploaded and and had it analyzed. And we can see
it was originally in 2007
reanalyzed like have it re scanned, but
it doesn't really matter. Weaken. We can take a quick look at it.
Pretty much everything has triggered off of it.
And, um, except for these last few, for whatever reason.
And they all classified is Steve Ott are generic Trojan Are
IRC bought or whatever else and it's known to be bad, and people have even said that is
you know, it's really bad. And
someone's posted that mu text that we saw the last video, and, uh,
see that That's it's ah, malicious file.
Now what about the pact? E x e.
I haven't done this before, so I don't know if, uh, someone's already packed it and uploaded it and analyzed it.
we'll see how many detection is that? Scott?
it's also important to note that this is not a good indicator,
a file is truly malicious,
because a lot of these anti virus engines are turned up pretty high
in the terms of sensitivity.
you know, I'm not going to get the product, but I've seen one antivirus company always alert on my medicine. Floyd executed Bols.
even though in the real world
I've never seen this antivirus software alert on anything before,
they tend to tweak their their products to make it look good
in terms of detection
the deal that virus total makes with these companies is that
anto the antivirus companies will will scan
if they detect it as something so it's almost a competitive disadvantage because they're flagging something. It's malicious that the other antivirus venders may not know about,
and the flip side is, and other anti virus vendors,
uh, no, that this file something malicious and making market malicious a swell. But what came out recently,
we can see that a number of products did not detect or packed file.
you know, if we were a malicious actor, ideally, this would be down to zero.
And a lot of packers on the underground will,
uh, advertise as fully undetectable, which they call food if you d
and it's not something they can guarantee,
but some packers are better than others. And since you PX has been around for so long, either
most considerate, malicious or most antivirus companies know how to,
and scan its insides.
If we use another packer, it might get even lower detection rights. And if we used a packer on top of a packer,
it may even get lower rates. So,
but it did definitely take down our score. Even this, even though this binary this excusable is really old Trojan. Even though U. P X is a really old packer, it was still able to elude,
some antivirus engines as I was machine earlier. What came out in the news recently was some antivirus companies were purposely marking benign files as malicious on virus total and watching other antivirus companies just copy them. And, uh,
I don't know how to say poisoning the watering hole, if you will.
here in our Callie machine,
I just opened two terminals here
and eyebrows, too. The Malware Analyst Cookbook
Ah, code website Google Code. A lot of it is
pretty old. It's, ah, 2000
twelves when most this was released by find So several of the scripts still useful. And since they're open source, a lot of people have improved upon them
and made significant improvements. But I just wanted demo something here,
we can download the script and use it to take a look at
sections of a P file pretty easily with us. The code they released. Typically,
if I'm just downloading someone script, I'll take a quick look at it. make sure it's not doing something obviously malicious. But then also make sure I have the right dependencies.
pasted to make sure I can import all these libraries. There's no issues.
and there's no issues because I already have the p e
which most people don't by default, you conduce. You pit the most popular python
And it says it's already installed. And I say, Great.
I'm going to look for an executed A ll
of which there are plenty.
So I'm just going to, ah, locate command.
Fine would probably be faster, but locators simpler to use, in my opinion.
of very useful windows execute pal's like the Net cat version of, uh,
uh, for for Windows. You actually took that? Uh, you know, Windows credential editor s so on so forth.
I'm gonna take one of these. Let's say w get that's Ah, simplistic. That cat.
A lot of anti virus companies will alert on on that cat because it's pretty easy to just open up a port and,
uh, start listening or make a pretty rudimentary back door.
So I'm going to copy it to the desktop.
So I just saved the peace scanner, and I just
download or copied over in that cat.
And, uh, I'm gonna run this script
and on a specify and see Dr Sexy.
this python scanner or the P E scanner will go through, say, Okay, it was this file, um, must empty five, shot one. When was it compiled
and says it marks is suspicious because 1998. That's pretty old for an executed all, um,
the code checking algorithm. Our basic corruption checking,
um not is not as good as a hash, but it's just basic checking to see if anything was corrupted while all on disk,
because hard drives usedto fail a lot more than they do now.
And we can see the sections
And I want you to take note of, um, the virtual size
versus the raw size, the raw sizes. How big is it in the file? And this usually aligned to certain bite, value
and So has your pretty brown did up numbers, and we can see here that says, Okay, I need this much memory to run this code in this section. Um,
I need you know, this much memory too
accesses, et cetera, et cetera,
And we can see the entropy values are right here on the right. So it goes from one bite to another to another to another to see how much difference there is between the
Tween the bites. Since u p x has been around for so long and it stands for the universal.
it ah is also reported toe Lennox and cannon pack you LF executed als er
But more importantly, we can
use it to pack windows excusable zzzz well on Lennox.
So I'm gonna say u p x,
So it opened up on that cat file, compressed it and then re saved it.
So we also get ah, 50% compression rate.
So again we shrunk the binary toe half of its size.
P E scanner script again.
And we can see that again. The half has changed the size has changed.
The, uh, date state the same U p x was sure Thio preserve that
has changed and it goes into a weird section. So, uh, the script has marked that as suspicious seer sees again, Uh,
correct. And so I think that's suspicious. But more importantly,
here, down where we can see the virtual size versus that Ross eyes the raw sizes. Zero. So there's no code on this. There's no nothing on disk in the file,
but it's still requiring a lot of memory.
And this is why it's considered suspicious.
Ah, here we can see. Ah,
there's no real difference between the raw size of virtual size, but it has a very high entropy,
so that is suspicious.
So here the virtual size and the Ross eyes aren't too big a difference, and the entropy is fairly low. So this is not suspicious, and this is probably where are
so are unpacking. Code
so we can see the BP. The entry point
is that you PX one So it's gonna begin its execution in this section,
uh, it would have began its, uh,
execution in the not tech section, which is fairly common.
it's it's useful. Ah, this is one of the first scripts I run on an executed. Well, just just to get an idea if it's packed, especially if I don't see any strings right away.
Another tool that is very useful
And P I. D is no longer developed or really maintained, but free to download and use.
I'm gonna versus machine ready to be infected.
soapy Eddie has a small database of packers,
and there are people who have collected very large databases of Packer signatures
uh, some false positives.
And but overall, it's a pretty good way to just get an idea for,
uh, whether a file was packed or not.
Okay, so we have a fresh copy of Are Ready to be infected. Bm
I'm a dragon. Drop over putty.
A sage client and I can actually do a lot more than that.
which is? I described earlier eyes a bit old, but still a useful tool. And a lot of people still have,
p i d databases are fairly large
and have a lot of signatures for different packers.
So if we, uh, just drag and drop inexcusable, like putty
onto P i d. We can see that it's using Ah,
win 32 subsystem compiled with myself visuals, c++ and, um
no. Has the entry point of the text section We can actually look at the other sections to see what's there. The
the virtual size, Um, and the raw size
s so we can kind of visually inspect where our script was telling us, and we can actually even have ah, many disassemble er kind of
show us some interesting stuff.
Um, not as good as Ida, but, uh, still, it's kind of useful sometimes.
Yeah. See, putty that Yuxi
Now we have packed plenty. Ah, about 50%. Again
on if we execute buddy. Excuse. Just the same. So, uh,
it's unfolding and memories decompressing. It's it's doing its thing and executing the original code
that's very useful. Must run p i d. Again.
usually it will detect that. That is U P X. But there's nothing detecting right now. Probably because I haven't really provided it with a good database. The databases here, huh? Well, see, that's the
That's your reason wise,
user, not DVD database.
So I'm just gonna Google
on. And there's quite a few of them out there.
I'm just gonna go with, uh,
Contains characters and Unicode.
Let's up the database.
But again, I'm just kind of
Nothing found about the databases of it messed up because
they were Unicode character. Someone to ah, save as
I'm just gonna transfer the file
I'm just gonna replace it
There's something wrong with it.
Something wrong with that database. So I'm gonna use ah, different database.
Charlie Owen from sand isn't very good.
Gonna vanish saying replace it
because the sands ones wasn't very good.
Nothing found, huh is not attacking ups. So is, uh,
the first time I've ever seen that
there's a signature for it
for 0.6 and probably above.
I was looking for that. Yeah, and more signatures and more signatures
since it was a version of this u p x
Since u p s u p x is open source. A lot of people have taken that source code and modified it Maur to, ah
to use in their own projects.
look at our just packed putty
there's no signatures in the database we grabbed
ah, from the Internet for the newest version of putty.
Um, although I expect there would be,
Buzz, if we grab u p X, we can see that there is ah, signature for that because the U P X program itself was packed
So our signature database definitely is working that we just grabbed off the internet. Um,
but it hasn't been updated for the news version.
So as we saw in our demonstration
before packing, we could see, you know, lots of strings and our illusion baht. We could see that almost everything was triggering off of some protections are
a lot of a V vendors were triggering off of,
uh, signatures that they had made a long time ago for illusion bought and, uh, illusion, but had its typical P E sections. After packing, there were almost no strings. They were very
there are fewer antivirus detections and had completely different sections.
And I did a quick little thing showing U P I D
almost every hour analyst has p i d. And they keep their signature is updated.
I typically don't rely on