DIY Spy Covert Channels With Scapy And Python Jen Allen
0ANYCon 2017
#hacking, #hackers, #infosec, #opsec, #IT, #android #security, #JenAllen
Picture this: a new super flu hits, and the sickness spreads faster than the World Health Organization can track it or respond. Thousands of people fall ill first in distant places, and then, before you've even finished reading the dire headlines, all around you. By the time you know there is a problem, you are already at risk, maybe already ill. The WHO responds with a vaccine, but only a quarter of the population seem to benefit from it, leaving a massive number of people unprotected and spreading contagion at an increasing rate. What's going on? People start dying, infrastructure grinds to a halt in region after region as the super flu spreads. Finally, the WHO releases a statement: Our vaccines are failing for most of the population because the virus is changing every time it spreads to a new host. The WHO has no defense for this rapid mutation, and can only recommend that people stay inside, away from anyone else, for the foreseeable future.
This is the reality in cybersecurity. One security solutions provider, Sophos Labs, reports malware is avoiding detection 75% of the time, and that the signatures your anti-virus program depends on (the vaccine) are only catching a minority of these electronic super flus.
Why is this happening?
Malicious hackers have become savvy in avoiding AV signatures, much like an evolving flu becomes stronger with time. The strongest designs survive and become harder and harder to stop. How does this work? Malicious hackers use several techniques to evade AV by making every piece of malware unique, including:
Custom Coding
Encoding
Packing/Encrypting
Splicing/Binding
We'll use the easy analogy of getting inside a building you aren't supposed to be in as a way of framing each of these attack techniques. Imagine you are the malware, and your job is to get inside a building with a security guard - AV - standing at the front door.
Custom Coding
One of the easiest ways to avoid AV detection is to create custom code for every infection. If malware is going to do an action, XYZ, you can create this code to accomplish XYZ in myriad different ways using slightly different lines of code.
Easy analogy: Getting into the building using a different doorway. If they catch you at the front door, go to a side entrance (or use a window!) - you'll achieve the same effect and won't get caught because you used a different way in.
Encoding
Encoding takes one character set and changes it to an equivalent, but different, set. By using a different character set, you are effectively changing the appearance of malware.
Easy analogy: Changing your suit and tie for a different suit and tie. Very weak attempt, but some of those AV security guards just aren't doing their jobs.
Packing/Encrypting
Packing or encrypting malware takes the bad code that AVs recognize and compress or encrypt it, then adding a small bit of code onto the resulting "packed" file that will decompress the bad code once it has arrived at its destination.
Easy analogy: Hiding inside a laundry cart while someone walks you in the front door. Nobody will know what is in the cart until they open the lid.
Splicing/Binding
Splicing or binding malware onto a legitimate program allows a malicious hacker to trick users in running malware by hiding it inside something they would want to run. It also changes the appearance of the malware, and can fool some AV programs that don't take a closer look.
Easy analogy: Getting someone with a pass to let you walk in with their party. "I'm with him," you say with a nod to the nice, authorized fellow next to you.
All of the Above
Malware authors are using the tricks above to create very hard to detect variants of known bad code. Every variant is eventually caught, but keeping up with the millions of new and disguised variants every day is becoming an exercise against the statistics. This is why malware writers are laughing at your AV.