Как сделать идеальный malware? #1
What does it mean that an ideal malware tool should not be detected by a standard anti-virus? It means that a very basic detection mechanism via file hash should be evaded. Having enough money an attacker mounting a targeted attack can create a compilation pipeline generating a unique malware executable per victim. Is it hard? No, below one of possible patterns in C.
The attacker may write a C program structured this way that the logic uses global variables and is divided into static inline functions for which the order can be changed. If the list of dynamically imported libraries is small enough the first 4K of executable would contain main code block. If the attacker is smart enough to design many functions filling initial part of the main code block and to compile functions every time in a different order the created binary would be different every time and also first 4K of it would be different.
In the example we have 3 functions: function_on_x, function_on_y and function_on_z. When decompiled they can be easily distinguished: one uses doubles and MMX/SSE registers, one calls malloc and one operates just on integers/standard CPU registers.
Every time we change the order of 3 functions and compile the program we get a different file hash.
Our main code block is a concatenation of inline functions. Without a ‘nop’ operation it would hard to find function boundaries (not every modification of EAX register means that we would be returning a result from a call). It means that this desing pattern and the malware factory allows to have a unique file hash per victim! Also first 4K of a malware file can have a unique hash. As a result a standard anti-virus can’t use a static definition based on a file hash. From the same codebase the attacker may be able to generate many files with a different hash. Check of a suspicious file in Virus Total would be useless.
Similar result (a unique executable) can be achieved with a modified UPX (or any other modified packer for executables). A packer should add some random garbage every time it compresses exe.
It’s important to remove UPX magic and modify decompressor because UPX is detected by almost all anti-viruses as a high entropy suspicious indicator.
Is it possible to protect an enterprise against a targeted attack using a unique executable? Yes. With an EDR product storing a hash of an executed program as a telemetry from a protected machine. Across all assets it’s possible to report what file has never been seen in the IT landscape. If something is totally new, not seen before, it’s suspicious and can be traced in a sandbox.
In part #2 I’m going to write about dynamic function imports.