domenica 11 novembre 2018

Sacara VM Vs Antivirus Industry

Twitter: @s4tan

Sacara VM GitHub project: https://github.com/enkomio/sacara

In this blog post I want to describe a bit my latest side project and provides some data about how effective are protections based on software virtualization.

State of the art

If you ever read an academic paper, you have noticed that is imperative to describe which is the current state of the art of the topic discussed. I found this section very helpful so I decided to report here the articles that I have read and, according to my opinion, their technical level. Of course this is not a complete list and is very probable that I have missed some good resources.

Level beginner

As often happens there are a lot of good resource to start with, this is also true for the VM protection concept. At this level I think that the only needed skill is to be able to read Assembly and being able to use a debugger. If you are looking for some code to read I suggest you to take a look at Pasticciotto ([01]). It has also a nice writeup about how the VM works and which are the implemented opcodes. Another very interesting challenge is the one created by MalwareTechBlog, where you have to reverse a binary in order to obtain the flag. You can find a good write-up at [02].

Level intermediate

Let's raise the difficulty bar and see some projects that were created with the real purpose to protect the code. The required skill is to be able to create some simple scripts in order to easier your task, but nothing too advanced.

By considering projects created only for fun, the two most renowned ones are the hyperunpackme2 by thehyper ([03]) and the ReWolf x86 Virtualizer ([04]).
Maximus wrote a good (and lengthy) write-up about the first challenge at [05]. Even Rolf Rolles wrote a post where he created an IDA Processor module to analyze the code ([06]). Before you ask me, I don't consider writing a full IDA Processor as having basic IDA scripting skills :)

Level Advanced

To tackle advanced reverse engineering problems is not enough to have a very good understanding of theoretical concepts, but it is also necessary to be proficient with the available tools.

At this level the amount of work that must be done in order to understand what a program is doing cannot be solved by just looking at the assembly code (at least without an enormous amount of pain). There are three cases that in particular I consider pretty difficult to analyze.

The first one is a crackme challenge implemented by Solar Designer in 1996 (yes, you read it correctly, more than 22 years ago) [07]. In his project the author implemented what is know as a "one instruction set computer (OISC)", in particular he based all his work on the NOR instruction.

The second one is the challenge number 12 of the 2018 Flare-On challenge (Suspicious Floppy Disk: Nick Harbour), in this case the author went one step further and implemented two nested OISC, where the first one is a SUbtract and Branch if Less than or EQual aka "subleq" and the second one is a Reverse Subtract and Skip if Borrow aka "RSSB".
You can read a solution for this challenge at [08,09].

The last example, directly from the academia, is the tigress challenge [10], which is a challenge based on the obfuscation of the various hash functions, by using state-of-the-art protection (VM, Jitting ,etc...). A solution to part of the challenge was provided by Jonathan Salwan in [11].

As you can see by reading the solution of those challenges, the authors have used some advanced techniques that imply the creation of a custom CPU processor, or emulation via symbolic execution. Without a proficient knowledge of tools, solving that kind of challenges would result in a very complicated (almost impossible) task.

Introducing Sacara VM

Sacara is another project that implements a custom low level language that can be used to obfuscate part of code. It is not a tool that translate a PE binary in an obfuscated one, you have to write your own program :)

It tries to protect the code by using some features that increase the difficulty in the reverse engineering process (like Opcode encryption based on the location, multiple opcodes representation, usage of NOR instruction to implements various arithmetic functions, anti-debugging, and so on).

I created the project since I wanted to experiment a bit in this area, in the GitHub repository you can find the assembler (written in F#) and the VM to execute the code (written in x86 assembly). I'm not going to describe in details how it works, it is open source, read the code if you are curious :) Instead, I want to show you how effective can be this kind of protection in order to hide the real meaning of a program when the binary is analyzed by an Antivirus.

Before to proceed I want to make clear that this post is not another rant post on how the AV industry sucks. Too often people forget how difficult is to implement such kind of programs. If you really want to write a rant post on it, please be sure to present also an effective solution to the identified problems.

Protecting a .NET binary

For my test I created a sample application that read a blob from the resource and load it via the Assembly.Load method. You can find the source code of this program in the GitHub project, under the Example\LoadEncryptedAssembly directory.

The program allows to specify a .NET binary and a password in order to create a copy of itself with the specified file "encrypted" and embedded in its resources. The encryption is very simple, here is the code:
public static void ManagedEncrypt(Byte[] buffer, String password)
{
 var key = Encoding.Default.GetBytes(password);
 for (var i = 0; i < buffer.Length; i++)
 {
  buffer[i] = (byte)(buffer[i] ^ key[i % key.Length]);
 }
}
Once done that, you can invoke the new created program, which just loads the resource, decrypt it and run it.

The important point is that I used the Sacara VM in order to do the decryption of the data. To do this I created a simple script that you can find here, find below the source:

In order to have a realistic test I chose a malware from VirusTotal with a very high detection rate. After searching for the Assembly keyword I found this file: 3dd7ae0bca5e8e817581646c0e77885ffd3a60333a5bd24df9ccbe90b9938293, which has a detection rate of 65/68, as you can see in the following image:



Then, I ran the following command:
 LoadEncryptedAssembly.exe -b 3dd7ae0bca5e8e817581646c0e77885ffd3a60333a5bd24df9ccbe90b9938293 -p sacara
 -=[ Dynamically load encrypted Assembly SacaraVm sample ]=-
 For more information pass -h as argument
 New file 'LoadEncryptedAssembly.build.exe' generated. Run it to execute the program.
As I said before the command takes the file, encrypts it by using as password sacara and embeds it in the resource. It generates a new file named LoadEncryptedAssembly.build.exe, if you run it you will see that after a while the original malware binary is executed.

The question is, how effective is this kind of protection? I have uploaded the new file to VT: 2e46664c52373b9ec14c64496cf1d18661e745fb83f1cdaaf73970d4fca59bbe in order to analyze it and as you can see from the following image the detection rate dropped drastically to 3/64:



Conclusion

As you have noticed by using an obfuscation based on a software VM allowed to hide a malware that had a detection rate of 65/68 to a detection rate of 3/64.

The reason for this may be various, I suspect that the transaction from the managed world to the unmanaged world (in order to execute the decryption routine) may cause some problems. But this is something that most .NET malware already know, so I guess it shouldn't influence too much the result.

The second possibility is that the software emulation of the encryption code has caused trouble to the detection engines. Of course, all of them are pure speculations :)

References

[01] pasticciotto - https://github.com/peperunas/pasticciotto
[02] Reverse Engineering simple VM crackme - https://secrary.com/CrackMe/VM_1_MalwareTech/
[03] hyperunpackme2 by thehyper - https://crackmes.one/crackme/5ab77f5633c5d40ad448c280
[04] ReWolf x86 Virtualizer - https://github.com/rwfpl/rewolf-x86-virtualizer
[05] Reversing a Simple Virtual Machine - http://index-of.co.uk/Reversing-Exploiting/Reversing a Simple Virtual Machine.pdf
[06] Defeating HyperUnpackMe2 With an IDA Processor Module - http://www.msreverseengineering.com/blog/2014/8/5/defeating-hyperunpackme2-with-an-ida-processor-module
[07] Hackme - ftp://ftp.df.ru/pub/solar/dos/hackme.com
[08] Suspicious Floppy Disk - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/FlareOn5_Challenge12_Solution.pdf]
[09] Flare-On 2018 - Challenge 12 - Subleq'n'RSSB - https://emanuelecozzi.net/posts/ctf/flareon-2018-challenge-12-subleq-rssb-writeup/
[10] Reverse Engineering Challenges! - http://tigress.cs.arizona.edu/challenges.html
[11] Tigress_protection - https://github.com/JonathanSalwan/Tigress_protection

26 commenti:

  1. This is written amazingly I am impressed with the skills of the writer and get support for Bullguard Antivirus visit at Bullguard Support

    RispondiElimina
  2. Wow, I am amazed by the information given in this blog post, thanks for sharing it here keep writing and keep posting.
    Kaspersky Support UK & Kaspersky Contact UK

    RispondiElimina
  3. Writers are becoming more and more creative; it feels good to see them touching new heights everyday and improving their writing skills and get instant support for Avast Antivirus visit at Avast Support Number & Avast Contact Number & Avast Phone number

    RispondiElimina
  4. I am amazed by the talent of this writer, keep going, keep writing, and keep sharing.
    Kaspersky Support Number UK
    Kaspersky Contact Number UK

    RispondiElimina
  5. Secure your device with webroot.com/safe/ Antivirus and Internet Security is the best solution you can get your hands on. You can also call at our US Toll-Free number +1-888-528-7412 if you need Online Help & Support for WebrootSecurity Product Activation & Installation. Webroot stands out from the crowd, thanks to its combination of latest threat detection and virus elimination abilities.

    RispondiElimina
  6. This is really a great blog for sharing. I appreciate your efforts, keep it up. Thanks for sharing... If you have any problem call toll free number +1-877-301-0214 Mcafee Activate | mcafee.com/activate | Mcafee Activate 25 Digit Code

    RispondiElimina
  7. Great work is done by you in this blog that has proper explanation. I found so many points those give advantages. Awesome blog post for today and if you have any problem regarding panda antivirus visit at Panda Help Number

    RispondiElimina
  8. Thanks for the nice information. For best deals and genuine products visit our official site. And get Unbelievable Discount on Microsoft, Windows, Antivirus products
    . Get quick email delivery and 24/7 support.

    RispondiElimina
  9. Right Your Blog suggestion...
    For removal of Trend Micro open the web console then go to agents and click “agent management” further select the office scan agent further go to the settings menu and make the needed changes in the settings. If you still need more help and support then connect with the experts at Trend Micro support number UK.
     Trend Micro support Number UK

     Trend Micro Help Number UK

    RispondiElimina
  10. Right Your Blog suggestion...
    For removal of Trend Micro open the web console then go to agents and click “agent management” further select the office scan agent further go to the settings menu and make the needed changes in the settings. If you still need more help and support then connect with the experts at Trend Micro support number UK.
     Trend Micro support Number UK

     Trend Micro Help Number UK

    RispondiElimina
  11. This post helps me a lot to resolve the problem. The blog is written very carefully after deep-research on the topic. If the Kaspersky is troubling you then visit kaspersky Support UK

    RispondiElimina
  12. https://braselectron.blogspot.com/2011/11/how-to-update-comodo-antivirus-database.html?showComment=1566994111259#c7361335007854949148

    RispondiElimina
  13. How to remove Norton autofix?
    Right, Your Blog suggestion...
    In order to remove Norton autofix from the Norton antivirus set up click the start button on the system further click “control panel” then from the list of currently installed programs select Norton further click “uninstall” further as the user account control box appears then click “yes” further follow the on screen instructions. If you still need more information then ask for it from the experts.
    Norton Help Desk Number UK

    Contact Now:  norton helpline UK

    RispondiElimina
  14. This is best thing I have got to read on the internet today, the writer deserves all the encouragement. If Norton antivirus set up needs instant fix then visit: Norton Support Number UK

    RispondiElimina
  15. If we talk about the features involved in Bullguard antivirus VPN then we can say that it keeps the privacy of the user safe also the VPN set up of Bullguard is easy to use provides proper security for systems and devices. If you still need more help, support or information then ask for it from the experts.

    RispondiElimina
  16. Thanks you sharing information. 
    If Bullguard antivirus firewall is troubling you then to get the issue resolved it is advisable that the user gets the software removed from the system and then gets the software reinstalled by the help of the installer that can be easily downloaded from the Bullguard official website.

     AVG Support Number UK
     Bullguard helpline Number UK
     Avast Contact UK
     Mcafee help desk UK
     Norton Phone Number UK
     Kaspersky Technical Number UK
     Bitdefender Support Number UK

     Antivirus Toll-free Number UK

    RispondiElimina
  17. Thanks you sharing information. 
    If Bullguard antivirus firewall is troubling you then to get the issue resolved it is advisable that the user gets the software removed from the system and then gets the software reinstalled by the help of the installer that can be easily downloaded from the Bullguard official website.

     AVG Support Number UK
     Bullguard helpline Number UK
     Avast Contact UK
     Mcafee help desk UK
     Norton Phone Number UK
     Kaspersky Technical Number UK
     Bitdefender Support Number UK

     Antivirus Toll-free Number UK

    RispondiElimina
  18. Thanks you sharing information. 
    If we talk about if Bullguard works on Mac or not then in that case we can answer it with a yes but the software only works on Mac in its internet security and premium version. If you still need more information then ask for it from the team of trained and certified experts.

     AVG Help Number UK
     Bullguard Support Number UK
     Avast help desk UK
     Mcafee Phone Number UK
     Norton technical Support UK
     Kaspersky helpline Number UK
     Bitdefender help support

     Antivirus Toll-free Number UK

    RispondiElimina
  19. Thanks you sharing information. 
    If we talk about if Bullguard works on Mac or not then in that case we can answer it with a yes but the software only works on Mac in its internet security and premium version. If you still need more information then ask for it from the team of trained and certified experts.

     AVG Help Number UK
     Bullguard Support Number UK
     Avast help desk UK
     Mcafee Phone Number UK
     Norton technical Support UK
     Kaspersky helpline Number UK
     Bitdefender help support

     Antivirus Toll-free Number UK

    RispondiElimina
  20. Informative article. Thanks for sharing such an valuable article. Also visit my website for Avast Customer Service Phone Number. Avast Customer Service Phone Number

    RispondiElimina
  21. Informative article. Thanks for sharing such an valuable article. Also visit my website for Microsoft Customer Support Phone Number. Microsoft Customer Support Phone Number

    RispondiElimina
  22. Informative article. Thanks for sharing such an valuable article. Also visit my website for Avast Tech Support Phone Number. Avast Tech Support Phone Number

    RispondiElimina
  23. I really thank you for the valuable info on this great subject and look forward to more great posts.
    mcafee.com/activate

    RispondiElimina
  24. Bitdefender is software that is based on a lot of techniques and has lot of features associated with itself. These features and techniques do put the users into trouble and problems in order to get all these problems and issues it is advisable that the user gets connected with the team of trained, experienced and certified team of experts they can be contacted for help and support as and when needed.

    Bitdefender Support Number UK

    RispondiElimina
  25. If you have forgotten the McAfee account password then in that case it is advisable that the user goes to the McAfee official website after that click on “my account” further under the login button enter your registered Email address and then click “send Email.” If you still need more information then ask for it at McAfee support number UK.

    RispondiElimina