New AV evasion techniques

Introduction :

End-point security softwares are security software that run in background on endpoint like individual computers ,phones and almost all network-enabled devices .Their main duty is to monitor network traffic of a company and provide a combination of services like web security ,firewall monitoring , antivirus ,file lookup services(runs integrity check and prevents process injection malwares),intrusion detection system,behavior and heuristic analysis . Anti-virus software are a subset of end-point security software and their main task is to remove viruses ,Trojan,worms etc from mostly individual computer(home users and small businesses). Unlike anti-virus software , endpoint security software may also offer other features like incident investigation. It also integrates with third-party tools like SIEM (security information and event management) software and are centrally managed.

The previous decade showed some fast transition of approach from end-point security companies like SaaS-based protection to help integrate cloud computing with security softwares , having a layered protection against file-less malwares ,etc. Though some of these features have successfully been integrated in end-point security softwares ,others have been a problem to integrate like layered protection against file-less malwares gives a lot of false positives , integration of Machine learning and artificial intelligence have also been a point worry as it had failed in a lot of cases like By taking strings from an online gaming program and appending them to malicious files, researchers were able to trick Cylance’s AI-based antivirus engine into thinking malwares like WannaCry are genuine softwares ,causing a lot financial and time loss to comapany as software had to be trained from starting. There were also an attempt to put IoT devices under malware-prevention softwares and prevent attacks like marai botnet DDoS,but it is too facing significant challenges as there’s a huge variety of IoT devices available(having different architecture and operating systems) and it isn’t possible to put this variety of under a single softwares umbrella.

Though end-point security software claim to be almost perfect and able to detect and mitigate any zero-day attack ,but past experience have shown us that they can be fooled or defeated by using some tricks like using stolen certificate , using fake web certificates ,using stenography etc . These series of blog discuss them one-by-one.

1)Use of fake digital certificates:

Digital certificates or SSL certificates are small data files that helps us to authenticate a website by making a cryptographic link between ownership and public key of the owner . It too contains metadata related to digital certificate and digital signature of certification authority.They help us to create a SSL/TLS encrypted connection between web browser and web server.

Basics :

There are two encoding styles of certificates —

1. DER-encoded (Distinguished Encoding Rules) : this protocol certificates contain unprintable ASCII characters,which some protocols like SMTP cannot understand.It also has strings of name of certifying authority and to which website this certificate is issued to.

View DER encoded Certificate

openssl x509 -in certificate.der -inform der -text -noout

2)PEM-encoded certificates are understandable by all internet protocols.It is basically BASE64 encoding of DER-certificate after — — -BEGIN CERTIFICATE — — — tag.It includes all ASCII printable characters.

View PEM encoded certificate

Use the command that has the extension of your certificate replacing cert.xxx with the name of your certificate

openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout

It was seen that harmless looking digital certificates that are often neglected from scanning and suspected scope of both user and anti-virus vendors are a great help to malicious hackers who can infiltrate malicious code through network scanner and firewalls without raising alarms or disabling anti-virus software.

PEM-based certificate

It was noticed in our sample that it looked like a legitimate certificate to a normal user (it had — — -BEGIN CERTIFICATE — — — and — — -END CERTIFICATE — — — tags that tells us that its a certificate file) , but closely analyzing it tells us that its magic bytes(first few header bytes) are not valid. The magic bytes of DER-encoded certificate is 0x3082 and for PEM-encoded certificate it is BASE64 encoding of DER-encoded certificate that is MII= .(as shown in above image)

NOW THE FAKE CERTIFICATE:

Malicious Certificate

As shown in [image2], the certificate looks almost normal and easily evades all the anti-virus in the static analysis. After decoding the malicious certificate we found that the file was a Linux executable file(header bytes-504B) . The hacker would too try to use certutil command (that is built into windows and is used to dump and display certification authority (CA) configuration information) to covertly bypass scanners.

Run Command : > certutil -decode malicious.cer dumped

Decoded Certificate

As we can find that PK is the signature for a ZIP archive. Thus after certutil tool dumps the certificate, a zip file is created on the system. This zip file could then be used to initiate further attacks like self-extracting zip or acts as dropper for other files.

Problem:

Downloading and extracting certificates is a daily routine for computers and this has to be done at a rapid pace to ensure good user experience , thus adding a layer of protection between downloading and decoding certificates can hamper user experience ,too websites have minimum timeout after which they do not accept reverse connections(408 Request Time-Out) ,so even if we do implement some dynamic checks on decoding certificates ,it has to be done without hampering user experience and proper functioning of internet.

Possible Solution:

Having a basic header bytes check can easily defeat the samples like above (thus maintaing both speedy examination and prevention).

But we need to keep this in mind that this trick of exfiltrating sensitive data from computer as well as make malicious traffic enter system covertly could be implemented as second staged attack after initial infection thus author can easily strip first few bytes(which may appear to be genuine,and bypass our header check) and then decode sample ,thus thorough check has to be done of certificates without compromising user experience.

This is a short blog, and a part 1 of 10 blogs, that I had planned. This is my first tryst with blogging. Hope you enjoyed reading.

Part2: Have a look at techniques like sim swap and USB rubber ducky attack in the next part

New AV evasion techniques- 2