Agents with unique hashes

[mssalvatore]

Description

Metamorphic/Polymorphic malware modifies itself to evade detection. As a result, no two copies of the malware share the same hash. Infection Monkey could emulate this property if each copy of the agent had random bytes appended to it.

On startup, if the agent's configuration includes a boolean to enable/disable this behavior, the agent can apply a decorator to its AgentBinaryRepository that would append a random number of bytes to the end of the agent.

While this won't actually make the agent metamorphic, it would emulate the property that each agent would have a unique hash. More advanced techniques/features should be added in the future. Take this into account when planning tasks.

Tasks

• Add a new section to AgentConfiguration for polymorphism (0d) - @shreyamalviya
  • New sub-configuration with a single boolean option
• Update the configuration UI schema to support the new configuration option (0d) - @shreyamalviya
• Documentation (0d) - @shreyamalviya
• Fix checkbox description not displaying in Polymorphic tab (0d) @ilija-lazoroski
• Write a decorator for Agent's AgentBinaryRepository that will append 16 random bytes every time an agent is requested (0d) @mssalvatore
  • Read AgentConfiguration and decide do we need to decorate Agent's AgentBinaryRepository (monkey.py)
• Modify the Agent to include its own sha256 hash (0d) @cakekoa
  • Modify the Agent model to have a sha256 field
  • Modify AgentRegistrationData to have a sha256 field
  • Modify handle_agent_registration to include sha256
• Modify the Agent to calculate the sha256 and include it in AgentRegistrationData (0d) @mssalvatore
• Modify some BB tests to enable polymorphism (0.5d)
  • Create a function that asserts the uniqueness of agent hashes @mssalvatore
  • Update depth_1 and depth_3 to check for unique hashes

[acepace]

Note if you use PyInstaller, I think it has a random seed and option for encryption which should give you what you want

[shreyamalviya]

Are you thinking of this? We can't use this because we don't want to rebuild the binaries every time the Agent has to propagate. I couldn't find anything else relevant in the documentation.