If you can't read please download the document
Upload
technologyflow
View
1.707
Download
2
Embed Size (px)
DESCRIPTION
A school project. How well does Metasploit encode its executables? I'm putting it to the test against 10 different antivirus programs. This is just the proposal; the finished version should be done in a month or so.
Citation preview
2. Research Question
3. Hypothesis & Null Hypothesis
4. There is no statistical difference between antivirus detection of executables that have been encoded using Metasploit 5. Introduction
6. What is Metasploit? 7. How well are we protected from malware? 8. Negative affects of malware 9. Can a simple encoding scheme render AV useless? 10. What about more advanced encoders? 11. How well can AV software defend against easily accessable encoders provided by the Metasploit framwork? 12. Terms
MD5
Binary file
Sandbox
13. Terms Continued
Encryption + Decryption
Exploit
TCP/IP
Virtual Machine
14. Background: How AV Works
15. Heuristics 16. File Signatures
17. Algorithm or static signature
Person using AV to scan a file Compare signature of file to a database with knownsignatures Does it match the signature of a known virus? Compute asignature from the unknown file Unkown file Database offile signatures 18. File Signature Scanning
19. Not resource intensive Limitations
20. Heuristic Scanning Scan the file Person using AV Run it in a sandbox Monitor system calls & activity and relay info to a risk analysis engine Does it look suspicious? Unknown file Unknown file Risk analysis engine 21. Heuristic Scanning
22. Doesn't rely on a signature database Limitations:
23. Resource intensive 24. How To Avoid Detection
25. Decrypted on runtime 26. Change encryption/decryption key each time run Metamorphism
Oligomorphism
27. Chooses decryptor from set of key combinations 28. Polymorphism hwfeidedwefef dfewfewfewfe grvervklmwefwe welkfimj eifcjm cwif jioregio mg wwoijmgeirojg r Encrypted portion Encryption +decryption enginewith key Bla bla key=10 If (decrypted) { EvilStuff(); } Bla bla key=10 Decrypt the main code run Do evil things to the computer If (decrypted) { EvilStuff(); } Bla bla key=10 If (decrypted) { EvilStuff(); } Bla bla key=10 Change the encrytion+ decryptionengine, And change the key Kjlkmdckldklcm Sdclknmewnge Sdklmroivnslkw Kmewvionjrewg Wenmgrerjnkng spowgnjrekjwe Bah bah key=11 Encrypt the maincode with new key and engine 29. Metamorphism 0x74 0x68 0x690x73 0x20 0x690x73 0x20 0x700x77 0x6e 0x7a0x6f0x72 0x20 0x63 0x6f 0x64Virus(hex view) Runs and does evil stuff void main(){ EvilFunction(); } void main() { EvilFunction(); UselessFunction(); } Takes its own source code and adds stuff A useless piece is added (like a NOP slide) Recompiled with new code 0x7a 0x6f 0x6d 0x67 0x20 0x64 0x69 0x73 0x20 0x69 0x00 0x00 0x00 0x00 0x00 0x73 0x20 0x6eA new binaryis produced 30. Oligomorphism welkfimj eifcjm cwif jioregio mg wwoijmgeirojg r [engine] key=??? Encrypted portion Decryptor/Key Pieces If (decrypted) { EvilStuff(123); } key=a+c/b If (decrypted) { EvilStuff(321); } key=b+c^d If (decrypted) { EvilStuff(213); } key=b%2 +c A B C D 31. Metasploit Itself
32. Ruby 33. Exploits + payloads 34. >1mil annual downloads 35. Constantly updated with wild exploits 36. Can produce standalone trojan binaries 37. In this study...
38. TCP= done over Internet All information for connection hard encoded in executable Connection! Unknowingvictim Evilhacker 39. Variables
Dependent:
40. Controls
Negative Control:
41. hello world program in C compiled on clean Ubuntu install
42. Snapshot feature on Vmware Same version of AV
All AV updated to most recent virus definitions 43. Same version & installation of Metasploit used 44. Controls and More
45. Same reverse TCP information (IP, port) used 46. All encodings were done on the same original executable
47. Data Collection 48. Analysis
49. Chi Square Test 50. References Instruction set reference manual. (1999).Intel architecture software developer's manual . Retrieved February 3, 2011, from http://download.intel.com/design/PentiumII/manuals/24319102.PDF Glossary - securelist . (2011). Retrieved from http://www.securelist.com/en/glossary?letter=72#gloss189210535 Metasploit express user guide. (2010).Rapid7 , (3.5.1), Retrieved from www.metasploit.com/documents/express/UserGuide.pdf Metasploit framework . (2010). Retrieved from http://www.rapid7.com/products/metasploit-framework.jsp Munro, J. (2002, July 10).Antivirus research and detection techniques . Retrieved from http://www.extremetech.com/article2/0,2845,1154648,00.asp Static application data. (2008).Uninformed, 9 . Retrieved from http://uninformed.org/index.cgi?v=9&a=3&p=11