Testing WildFire

cancel
Showing results for 
Search instead for 
Did you mean: 

Testing WildFire

L1 Bithead

I did some test on WildFire. I've created backdoors, link backdoor with a legitimate file, and playing around with malware, and obscure malware with the goal to bypass.

The result and scenarios can be found on my website.

Any comments or remarks are welcome

10 REPLIES 10

Thanks all for the information. My goal was to embedd and executable file into a pdf file, but WF currently does not scans pdf file. Thats the reason I played around with exe's.

1. When I ran the three executables, they where able to bind to the attacker machine since I had a shell. The executable is a meterpreter shell which is fully loaded in memory. From this shell I can upload 'malicious' files and own a system. To evade AV/IPS systems, the payload is fragment in memory so that AV/IPS software is not able to detect this as malicious. I've did some test in my lab. I don't have a public IP were I can test with.

2. The next test I'll do is IPS and exploitation. This doc will be available in the coming weeks.

3.PEScrambler is just one of the examples. There are others like Themida, etc.You can use any scrambler you find on the internet. The goal is indeed to create another file (hash) to evade AV.

I have still two questions:

  • Is WF vulnerable for hash collision attack ?
  • How does WF internally works. Does it see how many malicious activities are executed in a certain amount of time or just scan the behaviour of the file executed?

In my examples I've used a reverse shell. But you can take whatever malware that you like. The purpose was to verify if WF was able to detect a malicious file when its linked into another exe file. If WF executes only the first exe, I was curious if its able to see my malicious file.

If WF is not able to scan PDF and DOC files it is still a threat. Because most of the malware is now embedded into these files. Imagine an excel sheet which contains some executable code. When a user open an XLS file, a reverse shell or malware can be executed.

Recommendations:

Always implement a defense in depth strategy.

  • In my test I only enabled WF. But AV, threat prevention profiles should be enabled as well.
  • Do not allow http(s) as service but use App-ID. This type of reverse shell is not detected by App-ID and will be denied.
  • Monitor your unknown-tcp/udp traffic

It is not always easy to understand how stuff works, but we can learn a lot while playing with it. As a security professional we all try to protect our environment but against what? To better address this, we have to know how all this stuff works.

Thanks for the comments/suggestions


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!