Hi. My name is Sean Pearson on the subject matter expert for introduction to Malware Analysis.
Today we're gonna be talking about my word defense's
now when I say my word defense's I'm usually referring to anti debugging ah, anti virtual machine or anti disassembly code.
But this can also mean anti analysis
ah, code. And generally that's made to stop us from analyzing the sample. Eso Some samples will look for tools on disabled them or just stop running when they see them, or they will do something like,
uh, do something completely different than the original
objective is. So I know one sample, one large baht net. When it detects that it is being instrumented or it is in a virtual machine or sandbox, it will open up a port Ah, some high level port
or high number of port. And it will begin listening on that port four connections, and it will, uh,
act on those connections. So it looks like a very simple backdoor. But in actuality, it is, um,
baht net that would go out to the command and control server and pull down more instructions.
If it wasn't detecting that it is in a virtual machine
defense code, I would also say sometimes offensive. So there are two big samples back in the day. Zeus and Spy I and they were kind of going at each other, and they would take each other out if they found that the other family was installed on the computer.
malware family out there cold zero access, and it is pretty vicious when it when anti virus or any program really tries to access it, it will go and corrupt the file
that is trying to access it on disk, and we'll kill the process. So
Uh, examples and their offense And I generally kind of all group from the same. Their malware authors is tryingto make amore.
It was trying to make it more difficult for automated analysis in in sandboxes or slowing down our analysts.
I had break things down to, like, three major categories. Four major categories. The first is anti debugging and the past we have pulled up on ladybug, and we've kind of stepped through some things. Um,
but we haven't used it a whole lot, but that is ah, big tool used by Mauer analysts. And instead of reverse engineering and figuring out every little thing, we can just say, Oh, that looks like an interesting spot memory, You know, we place a break point there and execute the mount where, up to that point, and then look to see what's in that buffer or,
you know, whatever else we want. If we want to see what that C two
i p address or domain name is Weaken, just place a break point right before it's about to make a network connection to it, and
we can see what it wherever it grabbed it from memory, however, decrypted it. We don't really care. We just run to that point and then say, OK, what is it?
I can't really hide it.
builds in anti debugging code
to stop a d bugger from attaching or start Stop it the bugger from finding out what's going on in that process. And there's a lot of tricks to that, and we'll go over some of the major obvious ones.
the second category is anti virtual machine. Now most malware is executed and virtual machines or detonated in virtual machines
and some platforms is automatically like virus Total Kuku um, Cougar sandbox, that is sandbox ijo, sandbox threat cred.
And they all try to hide the fact that the malware is in a virtual machine.
But it's a back and forth battle. Sometimes there's really clever techniques. Sometimes there's not so clever techniques, like
more recently, a lot of pen testers are just testing to see how many cores are on the computer. If it's more than two cores and there's like, Okay, it's a modern computer and then they
continue execution. If it's less than they, they figure they're in underpowered VM because these people like to build huge clusters. Underpowered of'em Is that Nate Malware in there and see what happens? They don't really give it. A whole lot of resource is like memory or cores. Ah, CPU.
it's anti virtual machine
code could be a simple as checking the number of cores or advanced as trying to execute
instructions. Only virtual machines can execute, like the Bt accer VM instructions or checking parts of memory that, um,
that a virtual machine can't actually access.
The next category is anti disassembly. So if we pull up sample on Ida will sometimes see things that don't make whole lot of sense. Or that we can't really, uh,
continue with. Like if you pull up some malware, this written and visual basic and Vehbi Ida Pro won't really help you that much. You have to do other things or use other tools or find other methods. Um,
malware. This written in del fi. It's another programming language that's a little bit more popular. And Russia in Brazil,
uh, I've never seen anyone use it
I'm a pro Doesn't really handle that very well. Or some our written in dot net
or any of the dot net
style languages like Vehbi dot net or, um,
J script. Our ah S P
You know, those are bite, code interpreted or compiled languages. So I'd a pro Doesn't really help you a whole lot there.
But when I say Antioch Assembly, I don't mean
the language that was used to create them. Our ah, more mean like,
ah, it's usually assembly that the Mauer author has created specifically that will break the algorithms used by disassemble er's
and we'll talk about that in a little bit.
when I talk about my word defense defenses like anti debugging directory, virtual machine or whatever those usually put in by Mauer authors like I said, to stop automated analysis of their malware
by using documented undocumented AP I calls or using anti assembly techniques like we saw in the illusion baht, where dynamically would call,
uh, its main function by putting
return address manually on the stack and then using the red instruction to actually jump to main instead of returning to the function that called it.
Now you may ask. Okay, this is all great and we see packers before and you know, we can get around those and weaken, you know, do this type of stuff. Why don't,
antivirus companies just look for these techniques and then just blacklist malls? Malware? And the answer is because with the same with packers. Ah, lot of companies will use these techniques to Fort
pirating off their software, or they try to use it in digital rights management or D r M, or try to protect their intellectual property. Try to protect algorithms when
anti distantly technique. Not really, it's more of ah, miscellaneous technique is to fill the code with junk code. Um,
no operational code or not code or whatever else Instructions or a P I calls it really don't result in anything
functionally changing in the malware software. So let's look at a basic anti debugging technique used by malware. There is a function Cole and Windows that is widely supported, and it's very simple, and it just is, is debunker present.
If it returns true, that means that
checked a certain location of memory.
And in that spot memory,
it's ah has been marked as yes, there's a debunker attached
and a lot of my work. And just to exit zero and or terminate process or, um,
phony code or whatever else. Now
we gotta be careful because I've seen a lot of sand boxes that will say, Oh, this malware, you know, called this his debunker president has this capabilities as that'll do this blah, blah,
uh, and that's not quite
I've seen this function used in frame works all the time. So if I've written a small
application that takes the image and flips it around,
like just does a little simple transform on it, it inside the framework. It calls this function left and right
because in the framework and needs to know if it should print out debug statements or should
you know, act a little differently or put extra padding around its memory.
So, uh, just because you see this function doesn't mean it's malware. It just means the code is trying to be more aware of whether AH de burger is present.