1 00:00:02,520 --> 00:00:07,319 so yeah my name is Oh Jonathan Ross I'm 2 00:00:05,370 --> 00:00:09,480 here to discuss that obfuscation and PDF 3 00:00:07,319 --> 00:00:12,570 malware on how I nearly created a flood 4 00:00:09,480 --> 00:00:14,639 so a micelle from a 43 ethical hockey 5 00:00:12,570 --> 00:00:16,440 shouldn't hear a Bertie hey miss Gwen 6 00:00:14,639 --> 00:00:19,169 Snell enough looking for a gradual I've 7 00:00:16,440 --> 00:00:20,730 got a I'm currently interning as a cyber 8 00:00:19,170 --> 00:00:22,439 security consultant with their curious 9 00:00:20,730 --> 00:00:24,029 Frank which as a division of the 10 00:00:22,439 --> 00:00:26,189 Scottish business of selling center I've 11 00:00:24,029 --> 00:00:27,750 got a past experience and IT support 12 00:00:26,189 --> 00:00:31,650 I'm interests include red teaming 13 00:00:27,750 --> 00:00:35,700 offensive security anti fetching and all 14 00:00:31,650 --> 00:00:37,589 other one who said human be secure so 15 00:00:35,700 --> 00:00:39,180 yeah that wants to come I'm gonna start 16 00:00:37,590 --> 00:00:42,600 covering about the basics of PDFs 17 00:00:39,180 --> 00:00:43,980 themselves and malware and some of the 18 00:00:42,600 --> 00:00:45,750 skating techniques how they work how 19 00:00:43,980 --> 00:00:47,849 these obfuscation attorneys can apply 20 00:00:45,750 --> 00:00:51,600 and evaluating them how effective they 21 00:00:47,850 --> 00:00:53,610 are or not have 18 antivirus I name 22 00:00:51,600 --> 00:00:55,440 could open the floor up questions before 23 00:00:53,610 --> 00:00:57,030 I start no I'd like a bit Shoto to him 24 00:00:55,440 --> 00:00:58,739 dear Stevens because I based a lot of my 25 00:00:57,030 --> 00:01:01,230 work on heads is he's gonna like the 26 00:00:58,740 --> 00:01:04,619 grandfather of the kind of PDF document 27 00:01:01,230 --> 00:01:06,390 bit smaller so here for dummies back to 28 00:01:04,619 --> 00:01:09,390 basics so for those who don't know 29 00:01:06,390 --> 00:01:11,640 basically what PDF is is a document 30 00:01:09,390 --> 00:01:13,109 obviously but it's gonna praise due to 31 00:01:11,640 --> 00:01:15,390 its rich feature set and compatibility 32 00:01:13,109 --> 00:01:18,210 the idea of cross-platform so it's very 33 00:01:15,390 --> 00:01:20,460 widely available so it's contrasting 34 00:01:18,210 --> 00:01:23,130 because and PDFs can contain embedded 35 00:01:20,460 --> 00:01:25,408 executables or even be used to execute 36 00:01:23,130 --> 00:01:26,939 JavaScript a bit embedded within it so 37 00:01:25,409 --> 00:01:28,590 the JavaScript is gonna use for more 38 00:01:26,939 --> 00:01:30,508 likes of enhancing appearance and 39 00:01:28,590 --> 00:01:33,749 additions like kind of dynamic forms and 40 00:01:30,509 --> 00:01:36,450 tables so in terms of actual structure 41 00:01:33,749 --> 00:01:38,880 PDF is consider for parts and you've got 42 00:01:36,450 --> 00:01:40,619 a header which is a kind of tailor to 43 00:01:38,880 --> 00:01:43,259 the version the PDF has been used and 44 00:01:40,619 --> 00:01:44,490 the body which is made up of objects so 45 00:01:43,259 --> 00:01:47,789 this is where all your content has all 46 00:01:44,490 --> 00:01:50,399 your images all your forums and stuff 47 00:01:47,789 --> 00:01:52,409 like that the crowd cross-reference 48 00:01:50,399 --> 00:01:54,990 table or the xref tables that specifies 49 00:01:52,409 --> 00:01:56,490 the positioning of all these objects and 50 00:01:54,990 --> 00:01:59,219 then there's a trailer which has 51 00:01:56,490 --> 00:02:02,609 information that we're talking starts so 52 00:01:59,219 --> 00:02:04,199 in turn flash objects within the body 53 00:02:02,609 --> 00:02:06,479 they can include the likes of numbers 54 00:02:04,200 --> 00:02:08,369 arrays that trace our screens so screen 55 00:02:06,479 --> 00:02:09,478 these are really important to us and I'm 56 00:02:08,369 --> 00:02:11,580 going to discuss that more later but 57 00:02:09,479 --> 00:02:13,110 that's more about em you can finish 58 00:02:11,580 --> 00:02:15,840 dreams you can actually that's where you 59 00:02:13,110 --> 00:02:18,209 can physically embed data so 60 00:02:15,840 --> 00:02:20,310 example as one of Samantha's papers on 61 00:02:18,209 --> 00:02:22,530 PDF malware at the top here we've got 62 00:02:20,310 --> 00:02:24,989 the PDF header I mean the first object 63 00:02:22,530 --> 00:02:26,819 first object declaration second one here 64 00:02:24,989 --> 00:02:30,540 I mean you've got cross-reference table 65 00:02:26,819 --> 00:02:34,349 and the driller so maybe not some PDF 66 00:02:30,540 --> 00:02:36,239 malware like itself so why why is it 67 00:02:34,349 --> 00:02:37,560 being used so it's kind of everything 68 00:02:36,239 --> 00:02:39,510 was less well of all the Mac with a 69 00:02:37,560 --> 00:02:40,950 smile or at least in my opinion when I 70 00:02:39,510 --> 00:02:42,480 was doing this project for university 71 00:02:40,950 --> 00:02:44,250 the first thing I did was a Google PDF 72 00:02:42,480 --> 00:02:45,959 malware and leaving out the first thing 73 00:02:44,250 --> 00:02:47,489 that came up in Google was can a PDF 74 00:02:45,959 --> 00:02:49,530 contain malware which I thought was 75 00:02:47,489 --> 00:02:52,349 quite interesting but to connect put 76 00:02:49,530 --> 00:02:54,599 into context semantic and the 22 2010 77 00:02:52,349 --> 00:02:56,700 paper the rise of PDF malware actually 78 00:02:54,599 --> 00:03:00,530 said that the PDF Malheur is not macro 79 00:02:56,700 --> 00:03:03,109 marsden don't gonna the parent and also 80 00:03:00,530 --> 00:03:06,090 a bit more context so everyone's like 81 00:03:03,110 --> 00:03:08,790 yes you can head to the malware but are 82 00:03:06,090 --> 00:03:11,010 there vulnerabilities and and past 83 00:03:08,790 --> 00:03:12,599 tuesday on december of last year at door 84 00:03:11,010 --> 00:03:14,640 we actually fix 87 vulnerabilities 85 00:03:12,599 --> 00:03:16,319 within readers silver is darvon 86 00:03:14,640 --> 00:03:18,809 developers out there and also virtually 87 00:03:16,319 --> 00:03:20,310 every pc as a PDF reader so attacks are 88 00:03:18,810 --> 00:03:23,100 preserve a lot wider than someone for 89 00:03:20,310 --> 00:03:25,319 example using Microsoft Office and terms 90 00:03:23,100 --> 00:03:28,108 actually executing the malware and the 91 00:03:25,319 --> 00:03:30,388 either within JavaScript within PDF 92 00:03:28,109 --> 00:03:31,709 streams as I discussed or it could be an 93 00:03:30,389 --> 00:03:33,810 executed via 94 00:03:31,709 --> 00:03:37,290 executables the trigger on open the PDF 95 00:03:33,810 --> 00:03:39,510 now currently the JavaScript base like 96 00:03:37,290 --> 00:03:42,179 kind of malware is more popular purely 97 00:03:39,510 --> 00:03:46,078 because back in 2010 and Adobe Reader 98 00:03:42,180 --> 00:03:47,780 main version 9.3 3m departure so that 99 00:03:46,079 --> 00:03:50,310 you can actually use executables anymore 100 00:03:47,780 --> 00:03:52,349 so Delta station turning some by discuss 101 00:03:50,310 --> 00:03:53,880 will focus more on actual JavaScript 102 00:03:52,349 --> 00:03:56,130 side of things rather next before side 103 00:03:53,880 --> 00:03:58,560 of things so going for Elephants 104 00:03:56,130 --> 00:04:00,810 creation techniques the first one we've 105 00:03:58,560 --> 00:04:02,880 got the HDD file format so XML data 106 00:04:00,810 --> 00:04:04,980 package basically Dalby created that's 107 00:04:02,880 --> 00:04:05,638 two so they could convert PDF to an XML 108 00:04:04,980 --> 00:04:07,828 format 109 00:04:05,639 --> 00:04:09,720 so why is it use the malware and 110 00:04:07,829 --> 00:04:12,480 obfuscation to me so basically back to 111 00:04:09,720 --> 00:04:14,970 the principle that M has it's kind of a 112 00:04:12,480 --> 00:04:16,649 weird unusual format the antivirus 113 00:04:14,970 --> 00:04:18,779 vendors can't or their system cache 114 00:04:16,649 --> 00:04:21,929 detect it is the door really know what 115 00:04:18,779 --> 00:04:24,000 is moving on or rather this is actually 116 00:04:21,930 --> 00:04:26,700 what our xdd file looks like so it's 117 00:04:24,000 --> 00:04:28,740 made up of XML header up here there's 118 00:04:26,700 --> 00:04:31,080 chunk in the middle is just 119 00:04:28,740 --> 00:04:33,540 a base64 encoded representation of 120 00:04:31,080 --> 00:04:35,039 contents of a PDF and then there's a 121 00:04:33,540 --> 00:04:35,760 little at the bottom there it's a pretty 122 00:04:35,040 --> 00:04:38,190 basic stuff 123 00:04:35,760 --> 00:04:39,870 next up with my a Jeff Spock I don't 124 00:04:38,190 --> 00:04:42,150 actually know the that's just kind of a 125 00:04:39,870 --> 00:04:44,310 that's not the technical term part but 126 00:04:42,150 --> 00:04:46,770 within geography but within JavaScript 127 00:04:44,310 --> 00:04:48,780 is possible to represent anything with 128 00:04:46,770 --> 00:04:50,130 these following six characters so for 129 00:04:48,780 --> 00:04:52,320 example this is how your episode the 130 00:04:50,130 --> 00:04:54,750 number five using GF Spock so I'm gonna 131 00:04:52,320 --> 00:04:56,280 work through an example if I do this 132 00:04:54,750 --> 00:04:58,470 really horrible that I apologize but I'm 133 00:04:56,280 --> 00:05:01,349 just going to go with it so this is how 134 00:04:58,470 --> 00:05:03,210 you represent the character e energy s 135 00:05:01,350 --> 00:05:04,560 fun so we're gonna break that into two 136 00:05:03,210 --> 00:05:07,289 parts got red and green soybeans 137 00:05:04,560 --> 00:05:09,060 colorblind but I am so if you have an 138 00:05:07,290 --> 00:05:11,460 open square bracket close bracket that's 139 00:05:09,060 --> 00:05:13,170 nothing so I've just a few knots nothing 140 00:05:11,460 --> 00:05:15,239 here that becomes false and if you're 141 00:05:13,170 --> 00:05:16,860 not that again that becomes true surfer 142 00:05:15,240 --> 00:05:20,310 a lot comes true plus nothing equals 143 00:05:16,860 --> 00:05:23,610 true so the second part here it's and 144 00:05:20,310 --> 00:05:26,250 not plus nothing okay few times that 145 00:05:23,610 --> 00:05:29,100 becomes not nothing which becomes true 146 00:05:26,250 --> 00:05:31,830 three trees becomes one plus one plus 147 00:05:29,100 --> 00:05:35,010 one plus one equals three and therefore 148 00:05:31,830 --> 00:05:42,000 third item in theory becomes news that 149 00:05:35,010 --> 00:05:45,360 make sense thanks Mike so I don't 150 00:05:42,000 --> 00:05:47,280 actually know who do not make those up 151 00:05:45,360 --> 00:05:52,620 Scott brain is it brain for maybe 152 00:05:47,280 --> 00:05:54,809 based operators like that yeah this is 153 00:05:52,620 --> 00:05:56,430 if a lot antivirus are gonna look for 154 00:05:54,810 --> 00:05:57,750 keywords and look for instances of 155 00:05:56,430 --> 00:06:00,300 shellcode and one on this kind of just 156 00:05:57,750 --> 00:06:03,690 gonna disguise it there is an issue and 157 00:06:00,300 --> 00:06:05,640 adds complexity and adds like the file 158 00:06:03,690 --> 00:06:07,590 size will if you can imagine it 159 00:06:05,640 --> 00:06:10,500 right so if that's how you represent e 160 00:06:07,590 --> 00:06:13,650 the imagine if you're kind of encoding 161 00:06:10,500 --> 00:06:16,860 an entire chunk of JavaScript with that 162 00:06:13,650 --> 00:06:19,380 oh so execution time slows down next 163 00:06:16,860 --> 00:06:20,850 we've got Java JavaScript string a 164 00:06:19,380 --> 00:06:23,940 police method which is pretty much to 165 00:06:20,850 --> 00:06:26,310 search in a place so the idea is you 166 00:06:23,940 --> 00:06:29,310 take a word so use the replace function 167 00:06:26,310 --> 00:06:30,810 on an object or a variable per regular 168 00:06:29,310 --> 00:06:32,820 expression for example what you want to 169 00:06:30,810 --> 00:06:34,200 replace the word with and then rewarded 170 00:06:32,820 --> 00:06:36,719 once the word that you want or rather 171 00:06:34,200 --> 00:06:38,430 that's working for and then that's we 172 00:06:36,720 --> 00:06:41,340 want to replace less so I've got quick 173 00:06:38,430 --> 00:06:42,070 example up here so far a the dog went 174 00:06:41,340 --> 00:06:44,619 for a walk 175 00:06:42,070 --> 00:06:47,020 to pass carrot here and the regular 176 00:06:44,620 --> 00:06:48,670 expression I've seen replace or replace 177 00:06:47,020 --> 00:06:50,469 the letter replace all instances of 178 00:06:48,670 --> 00:06:51,910 thought with electric age as battle 179 00:06:50,470 --> 00:06:54,790 become my dog went for a walk and I 180 00:06:51,910 --> 00:06:55,210 counted past got scared so why do we use 181 00:06:54,790 --> 00:06:57,280 it 182 00:06:55,210 --> 00:06:58,690 so antivirus as I said earlier often 183 00:06:57,280 --> 00:07:01,150 looks trendy selects a shellcode and 184 00:06:58,690 --> 00:07:02,650 function names and by disguising the 185 00:07:01,150 --> 00:07:04,539 shell cord by basically making sort 186 00:07:02,650 --> 00:07:06,010 looks like it's not there and then 187 00:07:04,540 --> 00:07:08,550 reassembling it later on before 188 00:07:06,010 --> 00:07:11,830 execution sometimes i bypass antivirus 189 00:07:08,550 --> 00:07:13,270 hinari but this webinar recording / 190 00:07:11,830 --> 00:07:15,010 impression stream of objects using 191 00:07:13,270 --> 00:07:17,680 certain filters so basically what in 192 00:07:15,010 --> 00:07:21,300 PDFs is possible to compress it 193 00:07:17,680 --> 00:07:24,040 compressed streams or encrypt streams or 194 00:07:21,300 --> 00:07:26,260 encode them an attempt to kind of reduce 195 00:07:24,040 --> 00:07:28,450 the file size so Samantha pixel out here 196 00:07:26,260 --> 00:07:29,890 wise using the PDF malware unless 197 00:07:28,450 --> 00:07:31,479 antivirus software is course all 198 00:07:29,890 --> 00:07:33,669 compression encoding type supported by 199 00:07:31,480 --> 00:07:36,280 Adobe will be able to decompress our D 200 00:07:33,670 --> 00:07:37,810 chord and scan for meshes cool so and 201 00:07:36,280 --> 00:07:40,030 this is just taking a screenshot on the 202 00:07:37,810 --> 00:07:43,360 papers I wrote so in terms of what you 203 00:07:40,030 --> 00:07:45,280 can actually compress or include whether 204 00:07:43,360 --> 00:07:47,920 you like sub head to dance more pain 205 00:07:45,280 --> 00:07:49,419 signify the flake lyrics of plates 206 00:07:47,920 --> 00:07:52,600 there's the default compression method 207 00:07:49,420 --> 00:07:55,600 for PDFs and also mu genes get back to 208 00:07:52,600 --> 00:07:57,970 jpg and so and so forth so it's all well 209 00:07:55,600 --> 00:08:00,220 and good that you're pressing that data 210 00:07:57,970 --> 00:08:01,840 but the PDFs need to read it so we've 211 00:08:00,220 --> 00:08:02,950 got these things here called pH stream 212 00:08:01,840 --> 00:08:05,500 stream filters 213 00:08:02,950 --> 00:08:07,599 slightly in the filter is that it once 214 00:08:05,500 --> 00:08:10,330 the PDF opens it'll recognize all I need 215 00:08:07,600 --> 00:08:12,670 to do all these things so in order to 216 00:08:10,330 --> 00:08:14,650 read that so this pair is that just 217 00:08:12,670 --> 00:08:16,780 example of malware it ends not semantic 218 00:08:14,650 --> 00:08:18,659 papers discussing so the idea as they 219 00:08:16,780 --> 00:08:20,919 worked backwards so that's the sports 220 00:08:18,660 --> 00:08:23,110 accordion one linked four times 221 00:08:20,920 --> 00:08:25,720 repressive way and then so on and 222 00:08:23,110 --> 00:08:27,760 support that way so this is this is the 223 00:08:25,720 --> 00:08:30,460 final recessive activate the code need 224 00:08:27,760 --> 00:08:32,349 inquiry sorry so the idea is when the 225 00:08:30,460 --> 00:08:34,120 PDF opens or read this is the other way 226 00:08:32,349 --> 00:08:38,650 and go forwards so I can be read in 227 00:08:34,120 --> 00:08:40,150 plain text and executed so JavaScript a 228 00:08:38,650 --> 00:08:42,459 valid email functions based this just 229 00:08:40,150 --> 00:08:44,920 principle is just to concatenate strings 230 00:08:42,460 --> 00:08:48,070 together like in a simple secure got is 231 00:08:44,920 --> 00:08:51,310 an example whole world email a plus B 232 00:08:48,070 --> 00:08:53,230 would show : world so why is used 233 00:08:51,310 --> 00:08:55,300 aesthetically used to further off escape 234 00:08:53,230 --> 00:08:57,279 other functions within 235 00:08:55,300 --> 00:08:59,229 I live like telltale function names 236 00:08:57,279 --> 00:09:00,700 within the malware so for example we 237 00:08:59,230 --> 00:09:03,970 will go up here where there's unescape 238 00:09:00,700 --> 00:09:05,890 so unescape is used to decode strings 239 00:09:03,970 --> 00:09:08,950 and that's typically used when there's 240 00:09:05,890 --> 00:09:10,180 presence of shellcode so in terms of 241 00:09:08,950 --> 00:09:13,060 actual methodology for this project 242 00:09:10,180 --> 00:09:14,849 method I to create baseline if so I 243 00:09:13,060 --> 00:09:17,170 created multiple baselines all the same 244 00:09:14,850 --> 00:09:18,580 hint edges are added all the obfuscation 245 00:09:17,170 --> 00:09:20,020 techniques that I've discussed there and 246 00:09:18,580 --> 00:09:22,690 then at the end I added all of them into 247 00:09:20,020 --> 00:09:25,449 one file I tested them to ensure the 248 00:09:22,690 --> 00:09:27,820 people would executed so I use the XP 249 00:09:25,450 --> 00:09:29,350 service pack 3 VM with the Dolby Acrobat 250 00:09:27,820 --> 00:09:31,180 eight point one point two which is 251 00:09:29,350 --> 00:09:33,220 attached to pain because I probably got 252 00:09:31,180 --> 00:09:34,989 malware downloading that as a result I'm 253 00:09:33,220 --> 00:09:37,870 banned I ran it through a virus total 254 00:09:34,990 --> 00:09:40,000 for evaluation so exact creating the 255 00:09:37,870 --> 00:09:43,420 malware itself I'm lazy is masked by 256 00:09:40,000 --> 00:09:46,390 surprise so that the actual exploit here 257 00:09:43,420 --> 00:09:48,939 is is the U tilde printf module so I 258 00:09:46,390 --> 00:09:50,800 depend that is a buffer overflow export 259 00:09:48,940 --> 00:09:52,060 using cheap string and versions of Adobe 260 00:09:50,800 --> 00:09:54,699 Reader before eight point one point 261 00:09:52,060 --> 00:09:57,939 three and because I'm cliche and proof 262 00:09:54,700 --> 00:10:00,130 of concept it's made a pop calculator so 263 00:09:57,940 --> 00:10:02,860 what I did notice is that actual module 264 00:10:00,130 --> 00:10:04,800 and applied some obfuscation by default 265 00:10:02,860 --> 00:10:06,850 so that's a natural PDF stream here I 266 00:10:04,800 --> 00:10:08,859 discovered that it being CODIS 267 00:10:06,850 --> 00:10:11,290 uncompressed so I did about reverse 268 00:10:08,860 --> 00:10:12,760 engineering on it's quite fun so first 269 00:10:11,290 --> 00:10:14,430 thing I did was I ran it through a PDF 270 00:10:12,760 --> 00:10:16,480 stream bumper which is a good tool for 271 00:10:14,430 --> 00:10:17,949 basically breaking down the streams and 272 00:10:16,480 --> 00:10:19,810 be able to read it and reassemble a PDF 273 00:10:17,950 --> 00:10:21,970 it's great for engineering so that that 274 00:10:19,810 --> 00:10:24,040 and then find out the object 275 00:10:21,970 --> 00:10:25,779 declarations and the trailer I like 276 00:10:24,040 --> 00:10:27,699 random hexadecimal characters placed the 277 00:10:25,779 --> 00:10:29,560 route to replace that back with a state 278 00:10:27,700 --> 00:10:32,320 I mean I remove the redundant stream 279 00:10:29,560 --> 00:10:33,910 filters and an addition all the variable 280 00:10:32,320 --> 00:10:35,170 names are really long complex or just 281 00:10:33,910 --> 00:10:36,880 kind of narrow to tell you to made a lot 282 00:10:35,170 --> 00:10:38,790 more simpler more for myself so I could 283 00:10:36,880 --> 00:10:43,600 actually understand what's going on so 284 00:10:38,790 --> 00:10:47,620 before I go on here is the original the 285 00:10:43,600 --> 00:10:49,660 obfuscated PDF and header up here here's 286 00:10:47,620 --> 00:10:51,730 the object decorations and all took five 287 00:10:49,660 --> 00:10:55,240 assess the objects X contains JavaScript 288 00:10:51,730 --> 00:10:56,649 and this is my shell codes and this is 289 00:10:55,240 --> 00:10:59,890 the physical and JavaScript they'll 290 00:10:56,649 --> 00:11:01,270 execute the and open calculator I'm not 291 00:10:59,890 --> 00:11:03,520 I'm saying sure what it does like this 292 00:11:01,270 --> 00:11:08,510 person to offer or stop arguing my party 293 00:11:03,520 --> 00:11:10,010 but in general just of it so 294 00:11:08,510 --> 00:11:13,250 firstly a necklace added an HTP 295 00:11:10,010 --> 00:11:14,870 obfuscation so the guy back in 2011 296 00:11:13,250 --> 00:11:16,940 that's when XDP obfuscation can a first 297 00:11:14,870 --> 00:11:19,010 came to light guy called Alexander 298 00:11:16,940 --> 00:11:20,900 clinica security researcher published I 299 00:11:19,010 --> 00:11:22,880 am on his blog about it and he created 300 00:11:20,900 --> 00:11:24,980 this Metasploit module at PDF txt key 301 00:11:22,880 --> 00:11:27,410 it's basically like is you just give a 302 00:11:24,980 --> 00:11:28,640 PDF and it will convert it to XDP for 303 00:11:27,410 --> 00:11:30,380 you so that's just like the name of the 304 00:11:28,640 --> 00:11:34,790 original file the name the new file very 305 00:11:30,380 --> 00:11:37,010 simple and I'm Jeff Spock and hey as 306 00:11:34,790 --> 00:11:39,439 quinces daily are tired eval as well so 307 00:11:37,010 --> 00:11:42,080 that it used the online field called GF 308 00:11:39,440 --> 00:11:44,240 opcom but because leaked it was like a 309 00:11:42,080 --> 00:11:45,620 web-based I could only in court like one 310 00:11:44,240 --> 00:11:48,740 lane of JavaScript a time three 311 00:11:45,620 --> 00:11:50,720 ages so am i tried to do the shellcodes 312 00:11:48,740 --> 00:11:52,670 but i was like this is a uni project I 313 00:11:50,720 --> 00:11:55,130 don't have hours upon hours till later 314 00:11:52,670 --> 00:11:56,990 in shell cool and a contrast in a 315 00:11:55,130 --> 00:11:58,310 progress and Kalina saw it but I 316 00:11:56,990 --> 00:12:00,590 realized kind of in hindsight could have 317 00:11:58,310 --> 00:12:03,020 released a smaller payload but like all 318 00:12:00,590 --> 00:12:05,120 other payloads but the reason why email 319 00:12:03,020 --> 00:12:06,170 is required it's because obviously if 320 00:12:05,120 --> 00:12:08,810 your concatenate all these things 321 00:12:06,170 --> 00:12:10,250 together and you're not Cattani but 322 00:12:08,810 --> 00:12:12,290 obviously VGA spot you've gotta lace it 323 00:12:10,250 --> 00:12:13,910 looks like a lot links of lots of like 324 00:12:12,290 --> 00:12:15,530 plus ease and whatnot you're gonna have 325 00:12:13,910 --> 00:12:16,040 to use an email to concatenate them all 326 00:12:15,530 --> 00:12:18,650 together 327 00:12:16,040 --> 00:12:20,510 next up string replace so where did I do 328 00:12:18,650 --> 00:12:22,939 it instance ease of a shellcode 329 00:12:20,510 --> 00:12:24,950 instances all you talked about printf as 330 00:12:22,940 --> 00:12:28,910 tail to assign and also the unescape i 331 00:12:24,950 --> 00:12:30,860 mentioned earlier so how can I just I 332 00:12:28,910 --> 00:12:32,270 was him every Monday and I just looked 333 00:12:30,860 --> 00:12:33,770 around for random objects in terms of 334 00:12:32,270 --> 00:12:37,579 all I was gonna rooster in a place left 335 00:12:33,770 --> 00:12:39,199 for example yeah goodbye zero guitar one 336 00:12:37,580 --> 00:12:41,510 lamp so that's white replace it life 337 00:12:39,200 --> 00:12:43,370 similarly further you till the printf 338 00:12:41,510 --> 00:12:46,300 just I just add random characters up you 339 00:12:43,370 --> 00:12:50,510 can be T begin X and so on and so forth 340 00:12:46,300 --> 00:12:54,280 so this is what the GS but PDF looks 341 00:12:50,510 --> 00:12:56,569 like so again similar I got shellcodes I 342 00:12:54,280 --> 00:12:58,880 forgot to show you just what but you 343 00:12:56,570 --> 00:12:59,590 know that's my bad so message message as 344 00:12:58,880 --> 00:13:04,130 345 00:12:59,590 --> 00:13:09,050 just British context or so that's here 346 00:13:04,130 --> 00:13:14,090 so that's a little bit code here as all 347 00:13:09,050 --> 00:13:16,609 of those and interesting off if the 348 00:13:14,090 --> 00:13:18,890 player was paid but so the original ad 349 00:13:16,610 --> 00:13:20,750 office kata version and to come on 350 00:13:18,890 --> 00:13:22,290 develop I'm a second there so to execute 351 00:13:20,750 --> 00:13:24,089 that's a good good 352 00:13:22,290 --> 00:13:25,469 seven seconds from open the PDF for 353 00:13:24,089 --> 00:13:26,519 calculator popped up so it really does 354 00:13:25,470 --> 00:13:28,709 smell very Mexican 355 00:13:26,519 --> 00:13:30,180 I think you might report it was about in 356 00:13:28,709 --> 00:13:31,469 the pan mixing sporty pages or if 357 00:13:30,180 --> 00:13:32,329 they're before just for this one 358 00:13:31,470 --> 00:13:36,259 document 359 00:13:32,329 --> 00:13:39,089 so yeah I'm want to replace that PDF so 360 00:13:36,259 --> 00:13:40,980 here's the Shelf it looks like or share 361 00:13:39,089 --> 00:13:44,310 photos hey it's just all the random 362 00:13:40,980 --> 00:13:46,220 collections of words scroll down and 363 00:13:44,310 --> 00:13:48,869 then here's me doing the replace 364 00:13:46,220 --> 00:13:51,240 interest law on the unescape all I did 365 00:13:48,870 --> 00:13:53,459 was shut up I did instances of one 366 00:13:51,240 --> 00:13:55,370 between it and then reassemble that I'm 367 00:13:53,459 --> 00:13:57,810 replacement instances of one nothing I 368 00:13:55,370 --> 00:14:00,240 don't say that's available and here we 369 00:13:57,810 --> 00:14:02,638 have the variable that is the I think 370 00:14:00,240 --> 00:14:03,930 that's why she popped the cow and so 371 00:14:02,639 --> 00:14:10,649 that was what you tale that printf 372 00:14:03,930 --> 00:14:12,750 became and then I replace that so 373 00:14:10,649 --> 00:14:14,880 student felt obfuscation it wasn't 374 00:14:12,750 --> 00:14:16,709 difficult connect to try and get done so 375 00:14:14,880 --> 00:14:19,380 I decided to just look in the basic so I 376 00:14:16,709 --> 00:14:22,079 did a base 85 to hexadecimal and I can 377 00:14:19,380 --> 00:14:24,029 press the resulting hex and to fleets 378 00:14:22,079 --> 00:14:25,349 so I just took the source code for the 379 00:14:24,029 --> 00:14:27,870 Metasploit module ident an 82 they're 380 00:14:25,350 --> 00:14:29,550 slightly and then because I used the 381 00:14:27,870 --> 00:14:31,019 actual module I had to remove the Belton 382 00:14:29,550 --> 00:14:32,969 office kitchen as before to only make up 383 00:14:31,019 --> 00:14:34,350 your text so in terms of actually 384 00:14:32,970 --> 00:14:35,610 changing the source code its retina 385 00:14:34,350 --> 00:14:38,819 really kind of cool never done any 386 00:14:35,610 --> 00:14:40,889 really stuff before and so this is kind 387 00:14:38,819 --> 00:14:42,899 of where the JavaScript is then I just 388 00:14:40,889 --> 00:14:45,540 replaced that everything between the 389 00:14:42,899 --> 00:14:48,690 line and that line there with the 390 00:14:45,540 --> 00:14:50,250 hexadecimal I named because M I'd 391 00:14:48,690 --> 00:14:51,569 already use the hex 392 00:14:50,250 --> 00:14:53,730 that's function here's where it 393 00:14:51,569 --> 00:14:56,180 compresses it using slate I just removed 394 00:14:53,730 --> 00:15:00,899 in a bunch the redundant function call 395 00:14:56,180 --> 00:15:02,939 so in addition obviously the stream 396 00:15:00,899 --> 00:15:04,290 filters has changed was tracing so I 397 00:15:02,940 --> 00:15:08,490 just had to change it to incorporate 398 00:15:04,290 --> 00:15:11,639 base 85 so this one is is not really 399 00:15:08,490 --> 00:15:13,829 much to see because it's just all kind 400 00:15:11,639 --> 00:15:16,910 of gobbledygook which can be read in the 401 00:15:13,829 --> 00:15:18,839 PDF reader but are about mirrors and 402 00:15:16,910 --> 00:15:22,920 there's just extreme felt I thought I'd 403 00:15:18,839 --> 00:15:24,600 just show so as I said earlier I applied 404 00:15:22,920 --> 00:15:27,089 all the obfuscation techniques at the 405 00:15:24,600 --> 00:15:29,069 end so I dared this trigger place then J 406 00:15:27,089 --> 00:15:31,949 spot an eval I now use extreme filters 407 00:15:29,069 --> 00:15:34,019 and finally converted to XDP so in terms 408 00:15:31,949 --> 00:15:34,949 of evaluation I just had earlier used 409 00:15:34,019 --> 00:15:35,970 virustotal 410 00:15:34,949 --> 00:15:37,139 for those who don't 411 00:15:35,970 --> 00:15:39,810 our school closes basically like an 412 00:15:37,139 --> 00:15:41,730 online way or it's looking online 413 00:15:39,810 --> 00:15:43,560 antivirus also you see Matt URL or 414 00:15:41,730 --> 00:15:45,209 malicious what we think to be a 415 00:15:43,560 --> 00:15:48,060 malicious document and I'll scan it for 416 00:15:45,209 --> 00:15:49,290 you and so there's over 60 scanning 417 00:15:48,060 --> 00:15:51,209 engines but what's interesting is 418 00:15:49,290 --> 00:15:53,219 they're pretty much about what 419 00:15:51,209 --> 00:15:54,180 capability they work at because obvious 420 00:15:53,220 --> 00:15:55,939 is a free service 421 00:15:54,180 --> 00:15:58,410 you're not gonna it likes of avast or 422 00:15:55,939 --> 00:16:00,209 AVG giving you the full suite online for 423 00:15:58,410 --> 00:16:01,139 free so take these kind of results I'm 424 00:16:00,209 --> 00:16:02,729 about to show you that I'm a pinch of 425 00:16:01,139 --> 00:16:05,129 salt you want more information about 426 00:16:02,730 --> 00:16:06,420 that and there's a good talk I be safe 427 00:16:05,129 --> 00:16:08,069 london buying a collar bones called 428 00:16:06,420 --> 00:16:11,670 offensive ant analysis i recommend 429 00:16:08,069 --> 00:16:14,490 checking out so terms actual results the 430 00:16:11,670 --> 00:16:16,319 job force katie PDF about 33 detections 431 00:16:14,490 --> 00:16:17,519 which is actually all right considering 432 00:16:16,319 --> 00:16:19,949 I've done nothing to that straight the 433 00:16:17,519 --> 00:16:22,079 Box myths like hex TP was really good at 434 00:16:19,949 --> 00:16:25,349 15 geez 435 00:16:22,079 --> 00:16:26,969 and he valves 12-string a place 22 and 436 00:16:25,350 --> 00:16:28,050 unsurprisingly the stream folk who were 437 00:16:26,970 --> 00:16:30,269 selected to because I was a real 438 00:16:28,050 --> 00:16:32,849 adventurous without this was ran an 439 00:16:30,269 --> 00:16:34,740 effective April last year so I know it 440 00:16:32,850 --> 00:16:36,000 for a fact if I reran these I would get 441 00:16:34,740 --> 00:16:38,490 until II different results to the in 442 00:16:36,000 --> 00:16:41,129 Japan updated but most importantly the 443 00:16:38,490 --> 00:16:43,410 combined 5-htp omega1 detection which I 444 00:16:41,129 --> 00:16:45,689 thought was gonna cool and also is Trend 445 00:16:43,410 --> 00:16:48,600 Micro no one uses Trend Micro all so I 446 00:16:45,689 --> 00:16:51,899 created a thought well then tracing 447 00:16:48,600 --> 00:16:53,699 thing I found was that every time you 448 00:16:51,899 --> 00:16:55,529 run something through a virus code you 449 00:16:53,699 --> 00:16:57,628 can watch your a stick picked up or walk 450 00:16:55,529 --> 00:16:59,850 scat the whatever floats up so not 451 00:16:57,629 --> 00:17:01,769 something interesting that multiple 452 00:16:59,850 --> 00:17:04,199 scallion engines detected my malware 453 00:17:01,769 --> 00:17:05,819 using the same signatures so for example 454 00:17:04,199 --> 00:17:07,650 here we've got fair skinned zone alarm 455 00:17:05,819 --> 00:17:09,059 using the same to know your s think I 456 00:17:07,650 --> 00:17:10,260 think you detect it it's kind of the 457 00:17:09,059 --> 00:17:12,480 more of the story is if you can bypass 458 00:17:10,260 --> 00:17:14,789 one antivirus engine there's like the 459 00:17:12,480 --> 00:17:17,640 likely chance to bypass another one so 460 00:17:14,789 --> 00:17:19,500 yeah I'm very spending my talk I'll open 461 00:17:17,640 --> 00:17:20,669 the floor for questions if you thought 462 00:17:19,500 --> 00:17:22,349 once attachment know you catch though 463 00:17:20,669 --> 00:17:24,870 the day on the pop or on Twitter and 464 00:17:22,349 --> 00:17:27,208 adduction I know a lot of presentations 465 00:17:24,869 --> 00:17:29,520 there's gonna talked I thought I'd bring 466 00:17:27,209 --> 00:17:31,350 her back to her cat lovers yes that says 467 00:17:29,520 --> 00:17:33,510 gdpr compliant I did ask my cafe could 468 00:17:31,350 --> 00:17:35,309 it uses use the spudger and all I did 469 00:17:33,510 --> 00:17:38,450 not turn the washing machine on with my 470 00:17:35,309 --> 00:17:38,450 cats later thank you very much 471 00:17:43,490 --> 00:17:58,740 is anybody any questions yeah there was 472 00:17:57,030 --> 00:18:00,270 some more complex ones I it's been like 473 00:17:58,740 --> 00:18:01,380 a year since I've um that's how I looked 474 00:18:00,270 --> 00:18:02,490 at it much but there are other 475 00:18:01,380 --> 00:18:03,750 techniques you know there's a couple of 476 00:18:02,490 --> 00:18:12,270 good papers if uh if you want me to 477 00:18:03,750 --> 00:18:14,250 point in your way anyone else it's more 478 00:18:12,270 --> 00:18:16,110 I think it's because not all of them can 479 00:18:14,250 --> 00:18:17,820 read it or not all of them are the same 480 00:18:16,110 --> 00:18:19,770 capability I also the more virus tools I 481 00:18:17,820 --> 00:18:20,159 see is kind of hush-hush about how they 482 00:18:19,770 --> 00:18:26,280 do it 483 00:18:20,160 --> 00:18:28,560 but his babies I think it was the yeah 484 00:18:26,280 --> 00:18:30,060 so XD Peter says have an unusual file 485 00:18:28,560 --> 00:18:34,919 format only 53 of the engines actually 486 00:18:30,060 --> 00:18:37,230 were able to run it hey no else so the 487 00:18:34,920 --> 00:18:39,630 heuristic you've got up there presumably 488 00:18:37,230 --> 00:18:42,300 is that your stick is this this PDF 489 00:18:39,630 --> 00:18:47,070 looks crazy yeah I think I think it was 490 00:18:42,300 --> 00:18:48,360 pretty much fun and falling off that did 491 00:18:47,070 --> 00:18:50,250 you ever try using bunch of these 492 00:18:48,360 --> 00:18:52,260 obfuscation techniques to obfuscate 493 00:18:50,250 --> 00:18:53,340 something completely innocent and not 494 00:18:52,260 --> 00:18:54,960 the least bit malicious 495 00:18:53,340 --> 00:18:56,159 no that would be actually good idea 496 00:18:54,960 --> 00:18:57,570 because that will be an issue that just 497 00:18:56,160 --> 00:18:58,950 just it's just running through it yeah 498 00:18:57,570 --> 00:19:00,450 but for weird stuff in here 499 00:18:58,950 --> 00:19:02,340 nobody does that for legitimate reasons 500 00:19:00,450 --> 00:19:03,600 why don't we just that would've made a 501 00:19:02,340 --> 00:19:08,480 good idea actually didn't think about 502 00:19:03,600 --> 00:19:08,480 anyone else well thank you much