03-12-2013 03:34 AM
I did some test on WildFire. I've created backdoors, link backdoor with a legitimate file, and playing around with malware, and obscure malware with the goal to bypass.
The result and scenarios can be found on my website.
Any comments or remarks are welcome
03-14-2013 12:59 AM
Thanks all for the information. My goal was to embedd and executable file into a pdf file, but WF currently does not scans pdf file. Thats the reason I played around with exe's.
1. When I ran the three executables, they where able to bind to the attacker machine since I had a shell. The executable is a meterpreter shell which is fully loaded in memory. From this shell I can upload 'malicious' files and own a system. To evade AV/IPS systems, the payload is fragment in memory so that AV/IPS software is not able to detect this as malicious. I've did some test in my lab. I don't have a public IP were I can test with.
2. The next test I'll do is IPS and exploitation. This doc will be available in the coming weeks.
3.PEScrambler is just one of the examples. There are others like Themida, etc.You can use any scrambler you find on the internet. The goal is indeed to create another file (hash) to evade AV.
I have still two questions:
In my examples I've used a reverse shell. But you can take whatever malware that you like. The purpose was to verify if WF was able to detect a malicious file when its linked into another exe file. If WF executes only the first exe, I was curious if its able to see my malicious file.
If WF is not able to scan PDF and DOC files it is still a threat. Because most of the malware is now embedded into these files. Imagine an excel sheet which contains some executable code. When a user open an XLS file, a reverse shell or malware can be executed.
Always implement a defense in depth strategy.
It is not always easy to understand how stuff works, but we can learn a lot while playing with it. As a security professional we all try to protect our environment but against what? To better address this, we have to know how all this stuff works.
Thanks for the comments/suggestions
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!