Monday, April 19, 2010

Windows ShellCode Detection

Hi Folks, today I wanna drive you through a nice malware analysis experience that happened to me this freshly morning. Basically, for a penetration testing commission, I had to evaluate some ShellCodes, coming up with some judgments on the efficiency and on the validity of them.
For this reason I performed tons of shellcode testing and stuff like that. But what is interesting right now is when analyzing the shellcodes, in both way: Statically and Dynamically, I find out that only few AVs detect them..... Come on guys, we are talking about shellcodes not new virus's paradigms ..... it should be very easy to detect since they span a shell... right ? (see dynamic analysis)

So let's try it. First of all you need to build your own payload. I built a generic windows reverse shell. The generate command under Metasploit3 is really useful in such case. The following image shows how to generate a simple payload using Metasploit3.




After you got the desired payload, you have to write a simple code to run it. The following image shows my simple payload running code.

Alright, what we need now is to compile our ShellCode launcher. Since I am a MAC user I use MinGw to compile for Windows platforms.

Here we go ! We got a wonderful a.exe Windows executable. Now, of course it works.. Just start :
nc -l 4444
on our local machine, run a.exe on your windows machine.. and everything work fine !
BUT it's not he point. The real point is coming now. Analyzing a.exe with some services like VirusTotal you discover that only few AVs detect the shellcode as malware.



As you can see these AVs such as: AVAST,GData and Microsoft detects the crafted shellcode, but they are only few of all and moreover they are neither the most used AVs in commerce. That seems very weird. So let's see if it's so difficult to detect shellcodes.
Summary of Dynamic analysis:

Interesting Libraries:
LoadLibrary(ws2_32)
LoadLibrary(mswsock.dll)
LoadLibrary(hnetcfg.dll)
LoadLibrary(rpcrt4.dll)
LoadLibrary(wshtcpip.dll)
CreateProcess((null),cmd,(null))
GetModuleHandle(winlogon.EXE)
LoadLibrary(version.dll)
LoadLibrary(cmd.exe)
GetModuleHandle(advapi32)
LoadLibrary(advapi32.dll)
LoadLibrary(ntdll.dll)

Execution:
Executing: c:\windows\system32\cmd.exe
CreateProcess(C:\WINDOWS\system32\netstat.exe,netstat,C:\Documents and Settings\Administrator\Desktop)
LoadLibrary(netstat.exe)
Executing: c:\windows\system32\netstat.exe
OpenService(RemoteAccess)
OpenService(Router)

[...]


Well .... an application which loads cmd and ntdll; which executes cmd and the netstat .. well doesn't look like a shellcode ? Is it so difficult to detect ? Since some AVs detect the shellcode means that it is possible to do, we do had confirmation about that using dynamic sandboxes analysis. So why important AV's companies don't recognize it ? Maybe none is doing dynamic analysis ? ;]. We'll figure out soon ..

No comments: