A school project. How well does Metasploit encode its executables? I'm putting it to the test against 10 different antivirus programs. This is just the proposal; the finished version should be done in a month or so.
- 1. Metasploit Payload Encoding and Antivirus Detection
2. Research Question
- How well does Metasploits executable encoding prevent detection
by antivirus software?
3. Hypothesis & Null Hypothesis
- Shikata na Gai encoding scheme will result in the lowest number
of detections by antivirus software, because it utilizes a
polymorphic engine.
4. There is no statistical difference between antivirus
detection of executables that have been encoded using Metasploit 5.
Introduction
- War between antivirus software and malware programmers
6. What is Metasploit? 7. How well are we protected from
malware? 8. Negative affects of malware 9. Can a simple encoding
scheme render AV useless? 10. What about more advanced encoders?
11. How well can AV software defend against easily accessable
encoders provided by the Metasploit framwork? 12. Terms
- Any file that does things to a computer that a view does not
want it to, or is not aware o
MD5
- Method of creating a fingprint for a file. Unique to EVERY file
(3.4 * 10^38 combinations possible)
Binary file
- An executable program's file
Sandbox
- Virtual area that is completely separated from the host
computer
13. Terms Continued
- To turn readable code into an executable file
Encryption + Decryption
- Encryption turn information into seemingly random information,
using a key (like a password). Decryption reverses this
Exploit
- To take advantage of a programer's mistakes. Can make a
computer execute programs. Aka- vulnerability, 0day
TCP/IP
- Protocol that the Internet mainly works on
Virtual Machine
- Program used to emulate (simulate) an entire computer
14. Background: How AV Works
- 2 main methods of detection:
15. Heuristics 16. File Signatures
17. Algorithm or static signature
- Ex/ MD5 or look for suspitious behavior
Person using AV to scan a file Compare signature of file to a
database with knownsignatures Does it match the signature of a
known virus? Compute asignature from the unknown file Unkown file
Database offile signatures 18. File Signature Scanning
19. Not resource intensive Limitations
- Useless against new threats
20. Heuristic Scanning Scan the file Person using AV Run it in a
sandbox Monitor system calls & activity and relay info to a
risk analysis engine Does it look suspicious? Unknown file Unknown
file Risk analysis engine 21. Heuristic Scanning
22. Doesn't rely on a signature database Limitations:
23. Resource intensive 24. How To Avoid Detection
- Functional portion of code is encrypted
25. Decrypted on runtime 26. Change encryption/decryption key
each time run Metamorphism
- Each time malware replicates, change itself
Oligomorphism
27. Chooses decryptor from set of key combinations 28.
Polymorphism hwfeidedwefef dfewfewfewfe grvervklmwefwe welkfimj
eifcjm cwif jioregio mg wwoijmgeirojg r Encrypted portion
Encryption +decryption enginewith key Bla bla key=10 If (decrypted)
{ EvilStuff(); } Bla bla key=10 Decrypt the main code run Do evil
things to the computer If (decrypted) { EvilStuff(); } Bla bla
key=10 If (decrypted) { EvilStuff(); } Bla bla key=10 Change the
encrytion+ decryptionengine, And change the key Kjlkmdckldklcm
Sdclknmewnge Sdklmroivnslkw Kmewvionjrewg Wenmgrerjnkng
spowgnjrekjwe Bah bah key=11 Encrypt the maincode with new key and
engine 29. Metamorphism 0x74 0x68 0x690x73 0x20 0x690x73 0x20
0x700x77 0x6e 0x7a0x6f0x72 0x20 0x63 0x6f 0x64Virus(hex view) Runs
and does evil stuff void main(){ EvilFunction(); } void main() {
EvilFunction(); UselessFunction(); } Takes its own source code and
adds stuff A useless piece is added (like a NOP slide) Recompiled
with new code 0x7a 0x6f 0x6d 0x67 0x20 0x64 0x69 0x73 0x20 0x69
0x00 0x00 0x00 0x00 0x00 0x73 0x20 0x6eA new binaryis produced 30.
Oligomorphism welkfimj eifcjm cwif jioregio mg wwoijmgeirojg r
[engine] key=??? Encrypted portion Decryptor/Key Pieces If
(decrypted) { EvilStuff(123); } key=a+c/b If (decrypted) {
EvilStuff(321); } key=b+c^d If (decrypted) { EvilStuff(213); }
key=b%2 +c A B C D 31. Metasploit Itself
32. Ruby 33. Exploits + payloads 34. >1mil annual downloads
35. Constantly updated with wild exploits 36. Can produce
standalone trojan binaries 37. In this study...
- Reverse= victim connects to attacker
38. TCP= done over Internet All information for connection hard
encoded in executable Connection! Unknowingvictim Evilhacker 39.
Variables
Dependent:
- Whether or not the malware is detected by AV
40. Controls
Negative Control:
- A file known to be benign
41. hello world program in C compiled on clean Ubuntu
install
- Environment scan is performed is identical
42. Snapshot feature on Vmware Same version of AV
All AV updated to most recent virus definitions 43. Same version
& installation of Metasploit used 44. Controls and More
45. Same reverse TCP information (IP, port) used 46. All
encodings were done on the same original executable
- Scans repeated 5 times each trial to ensure accuracy
47. Data Collection 48. Analysis
- Is there statistical difference between encoders?
49. Chi Square Test 50. References Instruction set reference
manual. (1999).Intel architecture software developer's manual .
Retrieved February 3, 2011, from
http://download.intel.com/design/PentiumII/manuals/24319102.PDF
Glossary - securelist . (2011). Retrieved from
http://www.securelist.com/en/glossary?letter=72#gloss189210535
Metasploit express user guide. (2010).Rapid7 , (3.5.1), Retrieved
from www.metasploit.com/documents/express/UserGuide.pdf Metasploit
framework . (2010). Retrieved from
http://www.rapid7.com/products/metasploit-framework.jsp Munro, J.
(2002, July 10).Antivirus research and detection techniques .
Retrieved from
http://www.extremetech.com/article2/0,2845,1154648,00.asp Static
application data. (2008).Uninformed, 9 . Retrieved from
http://uninformed.org/index.cgi?v=9&a=3&p=11
