[Discussion] Just one question

Fri Mar 20 17:43:44 UTC 2009

Another interesting evasion technique was part of David Kennedy's
Shmoocon presentation. Fast-Track can use Windows debug as an
evasion method when downloading tools to a compromised host.

A brief mention here:
http://eatingsecurity.blogspot.com/2009/02/shmoocon-2009-notes.html

His slides are here (3+MB PDF) and the use of Windows debug is
mentioned around slide 10:
http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf

>From the slides:

*  There is a payload delivery method using windows debug,
this method takes specially formatted hexadecimal files and uses
windows debug to convert our hex back to a binary. Slight problem
with this technique is it has a limit of 64kb. If our payload is
larger than that, we have an issue (examples meterpreter, vnc, etc.)

*  Most attacks using this method drop a stager (like netcat
for example) and netcat will initiate an outbound connection to
download an additional payload > (often called a stager). Instead we
created a small 5kb executable that takes in raw hex and spits out
binary.

*  So we use our stager using the windows debug method for
our 5kb file, then use our custom application to then convert raw
hex to
binary completely bypassing the 64kb restriction.

Will Metcalf wrote:
> Yeah I think there was malware in the wild last year that used
> bits...
> This guy published a PoC I believe.... that uses BITS to pull down
> an
> exe from his site...
>
> http://reconstructer.org/code/bitscode.zip
>
> Regards,
>
> Will
>
> On Fri, Mar 20, 2009 at 5:56 AM, Seth Hall <hall.692 at osu.edu> wrote:
>>
>> On Mar 20, 2009, at 12:55 AM, Will Metcalf wrote:
>>
>>> oops, sorry had content-disposition on the brain today.  I meant
>>> range
>>> requests, so for example malware x gets installed outside of your
>>> environment and a user brings it back into your environment.
>>>  Twice a
>>> day malware x checks for a new copy of itself but to avoid
>>> detection
>>> by inline AV's  and something like the md5hash checks you speak
>>> of it
>>> pulls pieces of itself using range requests so almost like a
>>> download
>>> manager. How/can you deal with content reconstruction across
>>> multiple
>>> tcp sessions.  I know inline AV scanners for the most part can't
>>> properly deal with this, I was just wondering if bro could.
>>>  Hopefully
>>> that makes sense, I'm pretty sleepy at this point.... ;-)
>>
>>
>> Hah, that would be pretty sneaky.  Is there any malware that does
>> this?
>>
>> What's nice about Bro is that you can always modify your script
>> you account
>> for strange situation like this.  I think I might write a script
>> soon to see
>> how common range requests are.  What this scenario does make
>> difficult is
>> that it makes it harder to even identify that it's a windows
>> executable, but
>> I suppose they'd have to download the beginning of the file
>> eventually
>> anyway so you'd see one chunk of it matching as a windows
>> executable.  The
>> easy hack we could do is kick of a download of the file once we
>> notice a
>> range request for an executable file.  Bro will then have an
>> opportunity to
>> see the full file.
>>
>> Thanks for the question, that had never even crossed my mind. :)
>>
>>  .Seth
>>
>> ---
>> Seth Hall
>> Network Security - Office of the CIO
>> The Ohio State University
>> Phone: 614-292-9721
>>
>>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
>