[IN-VM] RAT bypass Emsisoft v9

[Deleted member 178]

Yes and Fabian is among the few vendors that spent some time outside his support forum to explain things to us.

Thanks Fabian and Cowpipe for those detail explanations , i feel less ignorant this morning

 

[woodrowbone]

Yes and Fabian is among the few vendors that spent some time outside his support forum to explain things to us.

Thanks Fabian and Cowpipe for those detail explanations , i feel less ignorant this morning

Amen

 

[kev777]

thank you Fabian and Cowpipe for your help, thankful for that,

 

[Dubseven]

There are a lot of misguided posts on this thread, particularly about the "amazing power of crypters". For anyone struggling to understand, the purpose of an executable protector is to prevent the file from being reverse engineered. It's purpose is not to hide malicious behaviour. As Fabian pointed out above, the scans included with Crypters on the sales pages are usually "scan time" results, that is an on-demand scan in which the behaviour of the file is not taken into account. Some crypters include so called 'run time' protection however this is almost universally the RunPE method (at least in the sorts of crypter kits most of you will encounter on self proclaimed 'black hat' forums), this again is easily detected (and easily unpacked in case you were wondering).

So to all of those on this thread who seem to be firm advocates of so called FUD crypters, please bear the above in mind and do a bit of research before arguing a point with someone with a professional level of knowledge (calm down ego, I was talking about Fabian )

This was on the older time, since that the crypter are evolved. Now, the crypters can perform more actions, hide behaviors, extract hidden and more and more. The big black forums require to present some videos of behavior bypass, not only scan results. And in our time, the behavior bypass is the most important part for any crypters.

You are aware, that VirusTotal does not include any behavior blocker results in their detections, right? They solely perform an on-demand scan of files and for files that look particularly interesting throw them into the Cuckoo sandbox cluster.

I'am not talking about results of VirusTotal but list of anti-virus presents in the VirusTotal (Avira, Avast, Comodo...) list.

 

[Mateotis]

You are aware, that VirusTotal does not include any behavior blocker results in their detections, right? They solely perform an on-demand scan of files and for files that look particularly interesting throw them into the Cuckoo sandbox cluster.

This. The fact that VT (and I believe other online multi-AV scanners) only conduct a simple signature-based contextual scan, makes them unable to accurately depict AV performances. This is why the detection rates in the packs in the Malware Hub do not matter much (unless you run the remaining samples, of course) when weighing AVs.

 

[Fabian Wosar]

The big black forums require to present some videos of behavior bypass, not only scan results.

And as we all know, Youtube videos are the ultimate proof! No shenanigans going on there, ever!

And in our time, the behavior bypass is the most important part for any crypters.

Can a crypter include bypasses for specific behavior blocker implementations? Yes it can. Is a crypter capable of subverting all behavior blockers by design? No, it is not.

To give you a very primitive example. It's a bit outdated, but I think it will do just fine. Do you remember Vundo? Vundo was a nasty piece of browser hijacker from a few years ago. One of the behaviors that was very specific to Vundo and made it incredibly easy to spot in log files at the time, was the fact that Vundo always dropped a DLL inside the Windows system folder using a random 5 letter name and then registered that DLL as a Winlogon Notification Package using the very same random 5 letter file base name. So in your logs you would see entries like this:

O20 - Winlogon Notify: pmnnm - C:\WINXP\System32\pmnnm.dll
O20 - Winlogon Notify: rqonk - C:\WINDOWS\SYSTEM32\rqonk.dll
O20 - Winlogon Notify: geeba - D:\WINDOWS\system32\geeba.dll

I think you get the idea. So let's imagine, you would want to implement a Vundo behavior blocker. What could you do? Well, you could write a driver that just registers itself with the Windows Configuration Manager (fancy kernel mode name for registry ) and that driver could watch all write accesses to "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify". If it notices that an application writes a new entry to that key that matches the Vundo naming scheme, it could issue an alert and block the application.

Here comes the kicker: This very behavior will never ever be changed by a crypter. It doesn't matter how much injecting into foreign processes is going on, how many thousands of polymorphic encryption layers the crypter puts over that very simple registry modification call or how much it will obfuscate the execution flow. Because underneath all of these layers that try to hide what the sample does from a human or an anti-virus software, there is still Vundo and Vundo will always create this very registry key and trigger your behavior based detection, because that is just what Vundo does. No crypter is going to change that, simply because the sample you throw into any crypter of your choice is essentially a black box and treated as such. The crypter does not know what the sample does, so it can't go in and suddenly change the routine that registers the Windows Logon Notification package to suddenly use 6 letters instead of 5, which would be necessary to bypass our little Vundo behavior blocker.

What could a crypter do though? Well, it could just try to unload your registry filter driver for example. And while this may work, because you messed up the implementation of your driver and made it dynamically unloadable for example, it does not mean that it will work for all behavior blocking registry filters out there. So you may have bypassed my specific behavior blocker implementation, but you didn't avoid behavior blocking as a technique by design. I do not doubt that there are bypasses for specific behavior blocker implementations in crypters out there. I know a few bots like Betabot implement quite a few of them for example. However, claiming that crypters are capable of bypassing behavior blockers by design is just non-sense.

 

[Cowpipe]

^^ Says it all

Behavior blockers detect what the virus does to the computer. A crypter won't change what the virus does, scan time, run time, party time, doesn't make a difference, as Fabian has said, the virus still does x,y and z and no crypter will hide that

 

[Deleted member 178]

to make it simple:

you can put a optic cloaking device + a sound reducer + a thermal suppressor to a thief , when he will try to break in your house , he still have to open a door or a window, and that he can't hide it.

 

[Cowpipe]

to make it simple:

you can put a optic cloaking device + a sound reducer + a thermal suppressor to a thief , when he will try to break in your house , he still have to open a door or a window, and that he can't hide it.

But my crypter has a built in door remover First it gets the address of your house, then it checks if you have windows. Next it actually goes underneath the os house, then it inserts a whole bunch of junk food (to make a powerful smell to distract the owner whilst the crypter secretly unscrews the hinges on the door). Next the crypter installs it's own door (back door) and paints it the same colour so you can't tell the difference. Finally the crypter lays out a red carpet for the thief as he approaches the door. Next the thief opens the door.... oh.

Behaviour Alert: "A Door has been opened"

Stupid damn crypter, Fully Undetectable Door (FUD), yeah right.

 

[Deleted member 178]

and that is just if the BB is set to detect "a door has been opened" , now if you implement "detect if a hole is made in the wall or roof or floor"

good luck to obfuscate it

 

[Dubseven]

We are not talking about doors or windows or about any planes or pingouins.
Trojans have for ability to be hidden and spy.

The trojan:
- Add himself to the startup.
- Copy himself. (not all times)
- Run himself.

And as we know, the keys names can be everything or randomed.
A trojan can install himself first time as Skype, the other time as SuperProgram.

So,
- Add himself to the startup.
- Copy himself. (not all times)
- Run himself.

All programs can copy themself. Like torrents, installations (setup), firefox updating himself etc.
So, we can't monitor that.

- Add himself to the startup.
- Copy himself. (not all times)
- Run himself.

We can't block the run because all programs can run-themself for updating or for running some line-commands.
So, we can't too.

- Add himself to the startup.
- Copy himself. (not all times)
- Run himself.


Let's say that the security software, detect the outgoing port.
The crypter can change that with a legal outgoing http.

Let's say that antivirus block the little files, as we know much of malwares are little size files.
The crypters can pump them easly.. so, bypassed too.

Believe me, all security solutions that you can see on VirusTotal lists (60 AV) can be bypassed FULLY at 100%.
The thing harder is not to block anything. The harder is to differentiate the good and the bad.
But in our case, Skype can do things that a trojan do
So, it's very hard to differentiate.

Much of malware has them behavior yes, but lot of them had behaviors that any software can't differentiate.

 

[Cowpipe]

I'm sticking with the house analogy

 

[Fabian Wosar]

I fail to see what any of your ramblings have to do with your original claim: That there are crypters that take a sample, that was previously detected by a behavior blocker, and modify it in a way, that after the process is finished, the sample is no longer detected by the very same behavior blocker.

 

[Cowpipe]

Perhaps this thread has got a little silly now and we're ending up going around in circles

 

[Dubseven]

I fail to see what any of your ramblings have to do with your original claim: That there are crypters that take a sample, that was previously detected by a behavior blocker, and modify it in a way, that after the process is finished, the sample is no longer detected by the very same behavior blocker.

This is an exemple to show that behavior blockers of popular security solutions can't block lot of type of threats.
To return in this subject, i'll try to explain myself with some examples, because i have some difficulties with the English, sorry Fabian

Let's take a new made SpyN Remote Administration T. malware.
The file extracted is hidden and with some copyrights from another Microsoft file and it's not signed.

We are okay about that will be detected by the behavior blocker.
So, let's turn it with a newest end-point crypter.

In instructions, the developer claims to desactivate all actions of the malware (no copy etc. only run).
After that, the bad person, choose him options in the crypter.
Exemple, Run on Startup and hide some details.

The crypter will add himself options made from the developer that the security solution will not detect.

So, the crypter act to copy and install the malware with the developer knowledge about the bahvior blockers to prevent the security solution to detect it.


I hope it's clear to understand
Regards,

 

[Deleted member 178]

it is what Fabian said earlier, if the malware is set to bypass a particular BB , it can be done but this specific malware can't bypass ALL behavior blockers.

 

[Cowpipe]

it is what Fabian said earlier, if the malware is set to bypass a particular BB , it can be done but this specific malware can't bypass ALL behavior blockers.

How long until someone brings up AutoIt and starts arguing that you can disable any antivirus behavioural blocker with just a few mouseclick()s.....

 

[Fabian Wosar]

Anybody else enjoying this ringside seat to a 'battle of the antivirus vendors'?

It really is nothing like that and I would appreciate if you could stop trying to imply otherwise. It's nothing personal, but it's not good for business to have someone running around shouting "look at this Emsisoft and Tiranium dude fighting it out in public!" I will have to leave otherwise as I did before.

So, the crypter act to copy and install the malware with the developer knowledge about the bahvior blockers to prevent the security solution to detect it.

So your proposal is to outsource the actual installation to the crypter. Even if the crypter is somehow able to install the malware without triggering the behavior blocker, the problem is that you assume that behavior blockers will always only attempt to detect malware installation. I can assure you, that assumption is wrong.

 

[Petrovic]

Trojan.Encoder
http://malwaretips.com/threads/trojan-encoder.29067/#post-216742

 

[Cowpipe]

It really is nothing like that and I would appreciate if you could stop trying to imply otherwise. It's nothing personal, but it's not good for business to have someone running around shouting "look at this Emsisoft and Tiranium dude fighting it out in public!" I will have to leave otherwise as I did before.

You have misunderstood my intentions. I have simply been commenting on how this debate (not fight) has been progressing, and particularly, expressing my general opinion that there is a general misconception amongst the public as to the purpose and capabilites of crypters. I apologise if the is the way it has come across has differed from my intentions, i have edited my posts accordingly and will keep out of the rest of this discussion.

Thank you anyway for sharing your knowledge, many of the members here, including myself appreciate your time and your willingness to educate outside of the main support forum.