This will be the final post in which I am presenting one of the many infection and evasion techniques used by criminals today. In this article which I hope is shorter than the previous ones, https://samuelalonsog.wordpress.com/2015/08/14/bypassing-perimeter-security-and-malware-evasion-1/ and https://samuelalonsog.wordpress.com/2015/08/24/bypassing-perimeter-security-and-malware-evasion-2/ I presume you are currently competent with pcap analysis and Wireshark as the main aim of this post is to demonstrate how the malware is evading perimeter defenses such as Antivirus and IDS.
As usual we start with a pcap file in which I am going to answers the following questions,
1) What is the exploit kit (EK)?
The fastest way to do this from an analysis perspective is to look at the IDS sensors. I am still looking to install my onion linux… so I used Virustotal and uploaded the pcap file.
Surprisingly, 0 Antivirus detected the malicious payload in this drive by download attack however the network IDS detected the Angler EK. Apparently looking at the messages, it detected the Angler EK encoded, I will explain soon what it means ‘encoded’
2) What web browser and version was used by the infected host?
following the TCP stream we get to the Internet Explorer 9, MSIE9
3) What is the XOR key used to obfuscate the malware payload?
Before I answer this question, I would like to provide you with some situational awareness on this topic. All AV’s work using signatures, this mean that if the malware strain has not been detected before, the AV will not be able to detect the malware or the malware is encoded – encrypted so the AV cannot recognize the piece of malware. In previous screenshots you can see how 0 antivirus detected the malicious code as it is encoded. On the other hand IDS were capable to detect the Angler EK payload as encoded. Before we move forward with this particular case you can check what techniques as per 2015 are currently being used to bypass network and endpoint security measures here.
In our particular case we are looking at a technique in the second category (confusing automated tools) as no AV was capable to detect the malware and as further analysis will reveal the evil is within the packet capture. The technique used in this drive by down is a xored payload. The main trick here is to confuse any automated tool such as an AV looking to match a signature from its database. When the payload has been xored with a particular key the functionality of the payload stays intact however the ‘shape’ of the payload changes and therefore the signature is not recognize anymore by the automated tool. The XOR cipher is a relatively simple cipher that encrypts – encodes the input using a key that is xored against the input to create an output.
Now is time to answer this question,it is very simple as all you need is to understand the previous concepts and have good understanding of the XOR cipher. Any key used to XOR the payload iterates through every byte of the data that needs to be encoded and therefore XORing each byte with the selected key. If you go to your pcap file you will recognize some patterns that will repeat throughout the capture such as the one in the images below.
Can you see the pattern in the hex file? I am sure you do…
Let’s assume that you are very bad at looking at raw data, in this case you have other options. Once you have identified the data that is dropped through the session objects you only need to save that object which will generate a file. Now you can analyze that file with other tools, I used some of the tools such as xoortool in the Remnux malware analysis distro.
This tool will provide you with the decode XORed file and the key that was used to do so. The tool will generate a xoortool_out directory in which you can find the decoded version of the file you pass to the python script. In this case we see the key used was adR2b4nh which matches what we saw in the pcap file. If you go through the whole process you probably have noticed by now that from the pcap file to the decoded file obtained by the python script and after submitting different files to Virustotal the number of AV’s that detected the payload increased until you got to the final decoded payload. This demonstrate how the obfuscation works and layer by layer we got to the evil piece of code.
Let’s assume that you also want to decode the payload to do further analysis or send to other specialist team in your organization. To do this you have to open the decoded file with xoortool with a hex editor,
This is the decoded payload with xoortool and in order to extract the malware within the payload we need to carefully search for the string ‘PE’ which indicates the beginning of a portable executable file. Once we have done this we cut everything before that (shellcode) to get to the malware which is a dll file, looking at the magic number at the beginning of the file 4D 5A. If you upload this file to Virustotal you will get AV hits therefore you have successfully carved the malware from the pcap file.
With this 3rd post in the series I hope you have got a better idea how criminals are bypassing expensive and complex cyberdefenses. Xor encryption is an old and simple method to obfuscate information however it is still very relevant nowadays as it’s been demonstrated in this post.