Wednesday, March 29, 2017

CIA’s Malware Writing Tips and Tricks Vault7 leak

CIA’s ability to hack phones, computers, routers, TVs and just about anything didn’t surprise me – if NSA is able to do it, why couldn’t they. What impressed me the most is CIA’s witty approach to anti-virus evasion. Allow me to entertain you with world-class solutions to some problems in the field of AV evasion. This topic will be covered in a series of analytical articles as opposed to this relaxed introduction, so stay tuned!
Anti-Sandboxing: Wait for Mouse Click

Many anti-virus programs run the suspicious binary in emulated environment (sandbox) to see what happens. A handy trick, spotted by malware in the wild is to wait for the user to click before proceeding to malicious actions. A sandbox environments don’t mimic mouse actions (probably all of them) and will never execute the malicious behavior. This is probably effective against Kaspersky and others.

AVG Fake Installer Trick

Subtitle is kinda self-explanatory – naming your .exe “setup.exe” causes it to run undetected in many cases. Additional bonus, Windows will add the “shield” icon to the binary. Downside of this trick is a possible pop-up saying “Program didn’t install properly”, but it can be avoided by carefully crafting the manifest file.

Defeating Entropy Analysis

Avira and F-Secure are known for checking the amount of entropy in the binary so if the program contains encrypted shellcode, it won’t pass the test. Unless it has a RAR manifest file – then, of course, entropy is caused by archiving software. Also, CIA suggests adding RAR signature at the end of the file. Sweet!

Comodo Pitfalls

Let’s try with Comodo,a great piece of antivirus software (not sarcasm, really). Quote by CIA employee:

“Comodo is a giant PITA. It can and will catch and show your entire chain of execution and a great deal of your file I/O. If you drop and run, it will show where you drop, what you run, and what you run runs. Yeah, it’s that bad.”

But, there’s an oasis for malware binaries – Recycle Bin. Comodo doesn’t like trash, so it doesn’t dig there. Placing the binary in the root directory of the bin will ensure safe start for the malware, although the battle is not yet over as Comodo will detect some obviously malicious actions after that point.

Comodo takes a lot of computer resources to give malware authors mentioned colossal pain in the posterior. It literally monitors everything, including standard Windows services (!!). At least it did, before versions 6.X. Apparently, they decided that was suboptimal and made a step in the other direction. One big step, I gotta say – anything running with SYSTEM privileges is considered legit. Read that again, because if you got a kernel level exploit, you can play drums on the SYSTEM parts and as long as you run as SYSTEM, you’re fine. By the words of CIA employee: “this is a hole you could drive a very large wheeled freight carrying vehicle through”.

Unfortunately, many tricks are left as empty files and marked as “secret”, but let’s not be greedy here. If you like this topic, you can check CIA’s malware writing instructions that were written with forensic analysis in mind. Also, don’t miss my future series about evading anti-virus if you enjoy studying this as much as I do.