 How's that guys? That's better Hopefully the the sun will remain away long enough that you guys can see the projector But if not feel free to take a look to avoid my eyes and look at the slides from the side there My name is Mark Williams. I'm a penetration tester and I'm here to talk about antivirus aversion or more accurately I'm here to talk about my adventures in malicious software. I say this because it's not really antivirus aversion I'm not going to drop any new technique or anything like that, but it's something that I've been working on for quite a while now in terms of just Seeing what we can do with antivirus and things we can get away with without being pinged So I'm a penetration tester. I had computers for a living That's what I do and I have to drop malicious software and other people's machines So antivirus is something that gets in my way quite a lot I Started out with this idea that I just I really like malware and I want to develop something that can assist me not Only my day job, but in my learning about how systems work because that's the big thing with antivirus is Is this black box security thing? We all install it We're all told that we require it and that it's going to keep us safe But we don't really know how it works So we might hear some buzzwords like signature detection and behavior and analysis But we don't really know if it's even doing anything When it finds something it makes a really big deal out of it and antivirus is like ha look I found something and it was bad. I kept you safe, but we don't know that it's finding everything and indeed my day job Is to kind of sneak past this So my adventure followed roughly this This line here why have aired is easy I'm a penetration tester. I have to install the software the tools that are required to do my job but when it actually came to to Learning how to have aired and trying to apply these techniques. I tried to keep things scientific So I wanted a control group a file that I knew was malicious that I could alter in situate to see if I can get a Non-malicious file through antivirus and there's some techniques in the the middle These are kind of common techniques that anyone who works in security has probably heard of maybe tried These are the techniques. I went through I tried some new things But my main aim was to do antivirus aversion through the path of least resistance This is to put the least amount of effort in possible and still a vid antivirus It's quite easy for hackers to get involved in something and be like, oh, I'm writing polymorphic code My executable changes every time I run it and that's great But it's quite a lot of effort and it's taking away from me actually doing my nine to five of getting access to systems So I started off with a control executable. My control is meterpreter. So meterpreter is a piece of software that comes in the framework metasploit And it just allows us command access to a system. We can upload files download files execute system commands I'm using virus total as my initial System to tell me whether I'm being picked up by antivirus and on virus total simply a website You will upload a file to it'll scan it with lots of antivirus and it'll tell you whether it detects it or not So my initial thing metasploit virus total didn't actually work out that well, but I'll get on to that So meterpreter is picked up as malicious by 34 of 51 antivirus That's kind of odd anywhere because this is probably the most malicious executable on the planet and it's only picked up by 34 So a vision is going quite well so far trying to avoid antivirus and I've already evaded 17 of them But this is my control group. It's my baseline So when we're looking at antivirus and we're analyzing the antivirus system as opposed to the malicious software Because a lot of people do malicious software analysis, but not so many people look the other way We're told about these things signature detection signature detection is is simply the antivirus software is looking at the executable And it's looking for patterns that is previously seen before that it's being told and malicious and it'll flag if it sees those behavioral analysis is where the antivirus executes the Code for a short amount of time and then watches it Behavioral analysis doesn't necessarily work. How a lot of people think it does it doesn't watch it through its lifetime Generally speaking, there's maybe a Predefined amount of time that it'll watch it for and if it does something malicious in that time or it does enough malicious things Then it'll flag it third on in here called past the sample is a problem that arose Using virus total virus total shares samples amongst vendors So if you upload a control group malware and then you upload it again several minutes later Your detection rate has increased Not because they've suddenly seen your code and done deep analysis on that code. They've just said, oh my friend my But the other antivirus solution detect this so we probably should as well And that that detection is quite naive But it kind of alters the data and it makes doing this scientifically We were collecting all this was flagged by this number that kind of data It screws that up because every time I uploaded I get a different number But antivirus evasion is something that hackers and penetration tests have done for a long time And there are tools out there that can do it for you if you Google antivirus evasion or fully undetectable food You get lots of tools that can do this kind of thing for you These kind of tools are close source binary from hacking groups that we've never heard of and probably no good thing to run But this set of tools are open source They have papers published on them and they work very very well The reason that I didn't want to just use these tools is because my problem with antivirus So one of my problems is that it's a black box and I don't really know what it does If I'm just to immediately take someone else's code someone else's tool and apply that might work a lot of the time And in fact these tools do work very very well But if it doesn't work all the time I kind of get stuck and when I'm stuck. I'm not really doing my job so These tools implement certain techniques that they're document And the most simple technique the oldest technique is to simply encode our payloads Encoding is taking some data and representing it in a different way. That's all it is MSF encoder is a tool that can do this An MSF encoder was not designed to do this at all It's designed to alter shell codes something completely unrelated But for a small period of time a long time ago MSF encode did evade antivirus And so when you talk to penetration testers or you talk to hackers It's one of the things they do they give you this response What I learned about antivirus aversion when all you need to do is encode and it totally doesn't work So kind of disappointed when I tried this So my initial control group I had 34 detections and that's a good start when I encoded expecting it to drop it went up So I got 35 detections so my antivirus aversion talks not going well so far because I've told you exactly what not to do So I'm back to these penetration testers that I know these these blackout hackers and I said guys This technique you gave me totally sucks the answer that I got and code more Just run iterations of the same tool and indeed you can run MSF encode with some iterations So I just put a really big number in there. Ah, here we go a version got past one. We're down to 33 This is progress, right? But what I'm thinking right now is this kind of the wrong approach But I wanted to continue going through that foundation knowledge that was already out there the things that were already online There's no point Diving in to a new area of research and saying guys, I know what I'm doing. I'll take it from here We've got to go through what's already available out there But this quotation if you can't read it, it's from one of the developers of Metasploit and he I guess is sick of sitting in IRC and saying guys MSF encode isn't the way forward so MSF encode isn't good, but there's other things that we can do Still sticking within Metasploit and within using meterpreter as my control group because I haven't advanced past that at this stage The way that Metasploit works and the way in fact MSF encode works is we'll take some malicious shell code and inject it into a template executable file Problem with doing that is antivirus vendors when they're picking up executables They're kind of put in the little amount of effort as possible So what they do is instead of looking for malicious behavior, it seems they just pick whatever is easy to write a signature on So if all of the malicious behavior that comes from Metasploit that comes from meterpreter Goes into this template why not just flag the template and that's in fact what they do So a blank template from Metasploit will get 42 hits 42 This is one of the older templates is the x86 template But they're flagging just what is essentially an empty executable because they know that no matter what you do Whatever shell code you inject is going to use this template So one thing that we can do is just use a custom template or use any executable in which we can inject our own shell code This isn't a new technique, but I found that even though it's an old technique. It's really effective. I got four hits out of 51 But it started to highlight something for me that antivirus vendors are also looking for the path of least resistance The thing that I'm trying to do they're just going with whatever the easiest way to target these malicious executables is So maybe instead of doing this crazy new thing and coming up with like zero-day technology We can just look at what works get as close as we can to the front lines of antivirus and Make a few changes here and there are a few configuration options and templates changing that template really does show that Continuing one from there then I thought instead of using a template executable and taking a standard executable and ejecting shell code into it doing The idea of just grabbing shell code and injecting it directly using virtual aloc or something like that In fact, there is a Python tool that can do this or you can do it with see literally just Create what is essentially a bare bones executable of here's a variable that holds some shell code now fire that That's a shell code and it works really really well. My detection rate came down to one. So I started talking to people How can some penetration testers and saying okay? This seems this antivirus a version thing seems really easy if I've already got my detection rate down to one using the most malicious Executable on the planet and the answer that I got back from that was that actually virus total doesn't really scan your executable All that well, so it looks good when they're saying oh we scan with 51 antivirus engines But these antivirus engines they're not deploying the whole artillery Most of the time they're just deploying the static analysis parts the simple parts of it So these figures don't appear all accurate and in fact you can see that if you Create a malicious executable do the evasion on it and then upload it to a system that actually runs that antivirus It might detect it even though virus toll said that it wouldn't so my type Sorry So my scientific approach is failing so far in such that My control groups not all of that good and also the test cases that I'm getting from virus toll are essentially lying to me So they need needed to move on from here And I wanted to get as close as I could to antivirus even though they're black boxes I wanted to set the environment up in such a way that I can extract as much information as possible from that So the first thing that I did was I instead of using the temperature as my control executable I I created my own control and I tried to load in there as Much malicious behavior as I could but to do it in a modular way So essentially I could turn on and off malicious functionality and try and work out which antivirus vendors are picking up which things It turns out that you can get away with an awful lot of stuff without being detected And most of the antivirus vendors are literally just still working on signatures and behavioral analysis is still pretty naive and not really that good But I did as I created what was essentially a real small module that I could deploy to a target system And then I could fire additional modules at it and what look at how the antivirus works Essentially what I was building here is botnet I created this shellcode which is execute on a target system And then I can listen to that system and see how it reacts in terms of the antivirus So instead of relying on virus total and saying okay guys how many antivirus systems pick me up I Created a network of systems initially starting with virtual systems and then moving on from there during penetration tests testing on on client systems with this code and I set up my own virus total environment and What this allows me to do is create a malicious executable fire it at a system and see if it picks it up on all So I started doing some things. I got I got old viruses and took source code from those I I took things that I would want to do as a penetration tester and kind of Naively implemented that so things like the dumping the password hashes from a windows box and things like that And in fact I use tools like FG dump PWD dump existing tools and just wrap them and implemented them in my executable Then and watched how the antivirus system reacted if I was detected I played around with that code in naive ways to see if I could get aware with doing the activity and I found that For example dumping windows hashes the executable is detected as malicious But it's detected the signature is on the debug messages Which are there to tell me if it worked or not But I know whether it worked or not depending on whether our files created that contains loads of hashes So I can go in the source code and I can just remove all the debug functionality in the executable still fires It still works. I still get hashes, but the antivirus system doesn't pick me up anymore So I started creating these test cases where I was like, okay This exe does something really malicious and antivirus companies aren't picking me up So I contacted some of the antivirus companies and I told them I was like you guys are kind of see what you're doing here Patholytes resistant stuff, but you're missing a lot of malicious behavior And they said okay, absolutely send us over some exes tell us what it does and we'll take a look So I sent over an exe and they said okay. Yeah, I can see that. We're definitely missing this So what we'll do is we'll MD5 it and then we'll pick that up from now on So Maybe that's the wrong approach and I was talking to some guys last night in the bar thinking how can we how can we deal with this? So maybe we should just create 200 executables and just keep sending them and see if they're gonna keep doing MD5's of those and how long it takes them to give up But essentially I think this is the closest that I can get to The antivirus front lines antivirus is a black box and that's generally a bad idea for security We don't accept this with cryptography. We don't accept just using secrecy with cryptography So maybe we shouldn't for antivirus as well. Maybe we should move towards more open systems What I've got set up here is a system that has as many antivirus as I care to deal with and I can simply drop exes on those systems So the video that's running here essentially showing off how the the botnet functionality works So the right hand terminal window is a command and control center the left window Handles that GUI and in the background There's 20 servers that all run a different antivirus system And when I first showed this to some colleagues They were saying oh how are you wrapping the antivirus to work out whether it detects you or not? And it's really really naive a fire a shell at a machine if I get command line access the icon goes blue as long as I have access and it checks every 20 seconds that machine will stare blue So I can quite easily deploy these malicious payloads and see if they detect me or not just based on whether the icon stares blue or not So what I did was I took all of this malicious behavior And I kind of tried to create my own Miterpreter I went with all of the techniques that I would require as a penetration tester or as a hacker to gain Complete access to a system. We're still trying to implement it in a naive way to see how antivirus reacts So to go from this I've now got a really good control. It's open source because it's something that I wrote I understand it quite well, and I can control the entire environment that these antivirus are running on and I know whether the detect me or not So I created an executable, which is just clearly malicious and what it does the next demo is the exact same thing Apart from this one is trying to show what would happen if a user executed an exe that they shouldn't do So it sets up the botnet in the same way, but we're now going to jump on to one of these machines this machine is virtual and The user is going to execute a File that could have come from email could have come from a USB or something like that And that executable is then going to brute force the passwords of all of the other servers on the network Which is really obvious trying really silly passwords like password one and then if it gains access to that It'll try and prevesco up and then fire its shellcode on that box and get command line access And I kind of expected this not to happen. I kind of expected that it would be really obvious malicious behavior and That just wasn't the result that I found so my idea of getting really really close to antivirus and taking the path of least resistance and getting really close to antivirus worked in so Much that I can control it I can create a really nice control executable and I can set up this environment that I can control it really easily But antivirus aversion isn't that difficult and so wanting to come here and show you guys something really cool There's already tools out there that can do this and it's surprisingly easy to get away with so this executable Which is firing on the network brute forces passwords over the network if fires malicious executables dumps password hashes And then cracks them locally on the target box in the same way that a botnet would do it So it's connecting to a command and control server It does a couple of little tricks like it does stalling code and things like that And this is actually deployed on the top left box But if you watch the video that's pretty much the last box that gets shelled and that's on purpose You know we're trying to we're hacking other boxes as opposed to our local box because we if we're gonna get detected We don't want it to be until we've taken over some other machines but My my talk initially was to to look up the tools and techniques that we can move forward with and so this is the new thing for Antivirus aversion and really the techniques that I used was just common sense getting as much control over a system as we possibly Can and really analyzing the code to see why are we being detected? So take some malicious code strip it down to the bare bones and work out which lines were being pulled on and then Just alter those lines and a lot of the times because antivirus companies are going path of lease resistance They're writing signatures for the things that are easy to detect So MSF and code that the technique that I showed initially doesn't work And it doesn't work for the quite interesting reason that With MSF and code all of the data that the antivirus company would need to analyze the behavior of that executable is within the executable It's not encrypted or anything like that. It's just represented in a different way But antivirus vendors don't fire that executable and then watch its behavior because they don't need to Because MSF and code with the standard encoder has staging code and they can write a signature for that staging code In the same sense that they wrote a signature for the template and if you write a portable executable Crypto it's that Tool that will encrypt executables that will have staging code as well And these antivirus vendors are just picking up on that the easy signatures Which means we can also do the thing of just removing those easy signatures So instead of using virus total instead of using whichever to we can come up with just real real simple tools and techniques Things that are more open source and kind of push the antivirus vendors and say, you know, we're being open We're evading your system through openness. Maybe antivirus should be more open as well So black box security is a bad idea And I think maybe antivirus is the last thing that we've got on our systems, which is still black box And we should probably do something about that That's my real quick talk and I've kind of blasted through that far faster than I thought I would but I'll take questions now I'm sure you could ask us a lot, but what was whether any antivirus which were more effective than others? Not necessarily in the question that I really get asked a lot is what is your favorite antivirus and My favorite as a tester is probably not the same as a person's favorite when they want real security I like bad antivirus because it makes my job easier, but I Really did blast through that content But the antivirus companies were all picking the content up as malicious for bad reasons But it was all different reasons So when I started changing my source code and removing those debugging functionality It didn't really go from 20 detections down to zero. It kind of like a line change here and a line change there would drop it down but I got very very similar results from all of the antivirus companies I was talking to someone about that yesterday about is there really any difference between the AB companies and should we really Have favorites and it brings up really odd question of ethics because if an antivirus company Wanted to be the the leading company in that area Then they wouldn't really be very friendly to the other companies and that they found a sample and got a signature for it or Created this really good behavioral engine They wouldn't share that but in the interest of good security and everyone being safe Then they should share that But perhaps all as many AV companies as you might like to think a lot of the engine actually share between multiple different vendors Yeah, it's absolutely true Yeah, a lot of the a lot of the engines are shared between vendors and Like I say a virus total shares samples and it's quite easy to see that It's almost immediate within a couple of minutes the detection rate increases for that so there is sharing between antivirus companies and I found similar results for all of the antivirus companies. I didn't try them all I didn't implement the 51 that virus told it I implemented about 15 I showed 20 but it's only about 15 actually wrote code for and they all seem to react in very very similar ways So the idea of a favor antivirus maybe isn't something that we could have What about existing open source for like you had clam AV like I'm yeah, I think it's not really It's difficult there clam AV is is open source and and there are open source security solutions I think the idea really is to Be more public about how detection works and talking to some people at this conference Actually who work in antivirus and they work in development and there's really really cool things that we can do with with antivirus and behavioral Analysis and virtual engines and things like that and emulation But a lot of that doesn't seem to real world get implemented and people at home systems and lots of corporations don't implement that So I think it's not so much just a case of being open source But it's also being public about the way that we operate the way that things work Do you think it's worth the time and effort to install antivirus software? As a user not as a security research, what's your threat agent? That's it's one of those questions with security It's like we can have a antivirus and it doesn't mean that antivirus immediately should go away It does do good things and it does prevent old samples and things like that. I Don't think I did a similar talk to this a little while ago where I showed antivirus aversion and Like a penetration testing point of view to show our clients Look we can evade antivirus isn't that scary and and that blew a lot of people's minds But really we shouldn't ever rely on one security technique. We shouldn't just rely on antivirus So I don't think that antivirus should go away But I think there is a lot of room for it to improve and I think we should push for it to improve Shout go ahead Awesome question I've come across Working with one client actually where One of the things that we do is we look to see if they have antivirus installed and a lot of companies will have antivirus Installed on end user devices, but not servers and they're they call Efficiency and they said all the antivirus slows us down. Therefore. We don't run it And I was working with the client once and I ran some at malicious executables on their system They weren't detected so I flagged them in the report as you don't have antivirus installed He said no we do and he showed me and he showed it running with a little icon saying it's fully up to there And it just wasn't working and that's the issue of black box security where we don't really know what it's doing It makes a loud noise when they find something, but if it doesn't find something and we have no idea that it's working at all I wrote this botnet Nine months ago one antivirus company has picked it up since and it picked it up for a really odd reason that I never thought of It didn't pick up any of the malicious activity any of the brute-forcing of accounts or dropping shellcode or anything like that What it did pick it up on is the fact that it made itself run on startup and it detected the persistence So as an attacker you don't necessarily require persistence You might just want to dump passwords and then get out of there So one AV vendor or one name who it is did pick this up But they didn't pick it up for the reasons that I thought but the idea of picking up malicious activity without antivirus Is really something that corporates corporations should like out because it can be quite easy Not easy that's unfair, but it is something that we can do. I mean so for example the second video where we kind of see this exponential growth where the malicious executable is brute-forcing other machines it does that Essentially at random and then it deploys the same payload to that machine and we get this kind of exponential growth Which looks really cool in a video But that is actually quite detectable because most user traffic as we know goes from end-user device to server Something like 80% it's really really rare for client machines to talk to each other So if your network if suddenly all of your client machines are all bastering each other's login prompts, it's probably malicious I've never had it. I've never had anyone pick up on that But I guess it's the difference between do we trust our intrusion detection systems or do we trust random log checking? You know the idea of random log checking and some statistics came out recently from what I've been told second-hand information that Random log checking is statistically Better for security than intrusion detection systems are 8.5 percent detection rate to 3.5 percent detection I'm also in terms of Linux Windows Mac is there a real difference or it's just market share Another interesting thing that people say to me is oh, it's I run Mac and therefore I can't get viruses Bring me a Mac and I'll write you a virus, you know I think again the issue is just one of thredge and maybe Mac and Linux get less Very very loud malware which spreads across the internet because there's less of those boxes But if you're targeting a specific Company and I want to say the word APT here So everyone should take a shot if the old threat agent is APT's then they're probably know the systems that you they use And I find it no more difficult to write Malware for Linux boxes as I do for Windows and in fact I was really really lazy on this project and this runs on Linux because it runs in wine Absolutely fine. There's no problem at all. So the The shell part of this is running on Windows machines running antivirus But as you can see the command and control part is running on Linux, but it's running under wine No, you got a microphone we can start here. We'll move around It's anything you think that we as end users can do to open this black box and gets vendors to actually You know release a little bit more info Very little faith and end users not the problem with with end users is that It's this mix of don't understand don't care not their feel things like that and Another speaker mentioned the fact that we can have end users do things if we implement fear But the problem is attackers can implement fear as well. So the few people that I've talked to Around camp I've mentioned the idea of fishing attacks and we all know about fishing attacks You send any email to a user and ask them to do something and then they really shouldn't do that a Recent fishing campaign that I ran. I essentially asked users to give me their passwords and 63% of users did and the reason that I feel that worked was because I Initially asked them to give me their password under guys of their you know hierarchy as the IT director Please give me their password and send it to this hotmail address And then I sent a secondary email from finance director saying some of you haven't filled this form in yet Please immediately do so a disciplinary action will ensue and it's the issue of End users have two areas in which we work we have our Office systems where we're at work and we presume someone else is going to look after us and then we've got at home Where we've got a very small attack surface anywhere so I think The best thing that an end user can do is just pay attention to your machine You spend a long time on your own machine even if it's an hour a day That's still quite a long time when it starts doing weird things kind of gonna notice that so I think End users are limited because Knowledge is limited and effort is limited But there are things that we can do is just keep an eye on our own systems monitor things Even if it's naive something is wrong I should tell someone something is wrong the the fishing campaign that I ran where 63% of users Sent me their password the 40% that didn't didn't tell anyone they didn't go that's a fishing email I should probably tell someone so as end users in the workplace We can protect each other if one of those users had gone to their IT department or their security department I said I got a fishing email that IT department could have blocked the link because every email had the same link And if they just firewall that the entire fishing campaign would have failed maybe got one here So in the workplace we can look after each other at home We can just have an appreciation for when things are going weird Do you think it's feasible to implement all these? advanced detection techniques and be scanning in real time as as antivirus does Is there not a massive system cost for for running If the clients that I already work with don't install traditional antivirus because of performance issues or perceived performance issues Then I would think it would be a hard sell to tell them to actually you need to install more stuff That's going to work harder. I think there's a lot to be said about Containerization in this idea where we have virtual environments where we segment applications to just Instead of preventing that initial foothold that an attacking can get to simply prevent them paving across the systems That can be localized with every application running in a sandbox or it can be network-wide where The worm demo is a naive demo where the militia software brute forces those passwords if there weren't weak passwords Then you've entirely stopped that propagation anywhere So maybe there's not a lot we can do for initial foothold But maybe there's a lot we can do in terms of monitoring and preventing propagation Yeah, it is true to say we can do more in terms of behavioral analysis behavioral analysis is probably really hard I don't write antivirus But I think there is probably more we can do in terms of virtualizing systems and Having a better view of the way that the executables are running There was a recent DEF CON talk actually where somebody was talking about that Emulating systems as opposed to virtualizing them to get more view of what's going on So ten years ago we deployed a behavioral system across a 60,000 user estate We've got about 5% hit on individual systems. They was based desktop and server the interesting bit was we spent about Two million on the software we had but we had to sort of travel to travel the size of the team that we're just looking at the logs The problem with behavioral systems is actually you need people to go through and look at the logs the systems Not only that But the the issue with behavioral analysis as opposed to static analysis static analysis is a Boolean I've seen this before it has previously been proven to be malicious and therefore I can flag it with behavioral analysis It's the idea is it doing enough bad So when we're looking through logs something weird happens And it's like is that weird enough that it's malicious or is it just an anomaly? So you're absolutely right with behavioral analysis There is increased manpower required or increased processing power But we caught shit the interesting thing is I work as a penetration tester now And I've not seen any of our client base big or small deploy anything like that Say there's not yeah, it's a one-off in 10 10 years of pen testing. Yeah. Yeah As a pen tester, we we don't really have that much difficulty of aiding antivirus And I find that a curiosity enough to stand in front of you guys and say why doesn't antivirus work? As a pen tester have what's your view on default default permit versus default deny As in if you have a client would say an important server that is highly exposed the net To simply whitelist all the X's do you actually know should ever be running? And then if they say install something new they can add it to the whitelist rather than saying everything can run And let's hope that nothing malicious ever comes on here. Yeah, the problem with that kind of security It's like we have this idea where assuming somebody proposes a solution people will just nitpick at it And it doesn't necessarily mean that it's bad Well, we should do something to whitelist executable still has the issue of if you inject shellcode into that process Then you're running as that executable and therefore can get around it But if you have the manpower to do that if you have a system that scope is narrow enough that we can whitelist executable Specifically then that totally works Second Every office needs word if you allow word you allow macros it's game over So whitelisting is not going to be an effective solution on this side That's true in the same with dropping shellcode in your processes anywhere It's not a cure it probably helps, but it's not a cure and it depends if the threat agent is Someone sitting behind if I'm sitting on the command and control server Then I can direct the shells and I can direct the balls to do things if they're spreading like a worm spreads And it's just naively outwards then maybe it does assist Do you think using things like process hacker like task managers and you know sandboxing does that work? Just on a software level sandboxing or do you need hardware as all? No, I think on a software level that it does work I saw something cool actually there's a project where someone has implemented virus total within task manager So if you open task manager, it'll fire those executables to virus total and okay virus total is naive And I showed that previously but again, it's something quite cool to say that I can quite easily just fire Executables up, but no sandboxing is a really cool thing in terms of the issue of propagation So okay, I might be able to jump into that process or into that small virtualized instance But if I can't get out of that or if it doesn't have any interesting permissions then Maybe we give the attack of the initial foothold knowing that we can prevent propagation I think so maybe depends how much manpower you've got yeah, I tried to compile a list of malicious behavior and I started out with something like 12 things that I thought would be malicious like Jumping password hashes and things like that and my list now is something like 220 things that I can think of that are malicious That kind of thing does work if you can spot it and if you have the ability to go in there and look at it The problem is some of the malware the activity that it does is it really doesn't look that malicious so the most simple The most simple foothold an attack it can have is simply An executable which reads from the network and pushes it to cmd.exe So reading from the network and running an executable in the system, which is thereby default To spot that behavior is quite difficult I mean you can automate that if network packets immediately come in from the network and are immediately pushed to cmd.exe Then that's malicious, but as a human being I think we would miss that You were saying you wanted antivirus companies to open up a little bit about how they do detection Do you think that carries an increased risk of then malicious individuals could exploit? weaknesses that they see in those the the parallel that I drew and it's a naive parallel is that of Cryptography where we don't accept secrecy in the world of cryptography our algorithms are open But our keys are not and that's the parallel that I drew to say that maybe antivirus should be open because Security and I don't generally expect antivirus companies to go you're right We should do this because they have the whole sales thing don't they where they like to spin things to show that they are the best And I think that's interesting both in ethics and the way that it works where people still ask What's your favorite antivirus? You know it's like well kind of all the same to me in your the net where you're Basically finding the user account passwords Yeah with that local user accounts, and if so have you encountered situations where there's all local accounts are disabled and You don't like a domain situation How does that compare the reason that I did this is because it's quite a common thing as a penetration tester for us to Do if we have physical access to a device then we can dump the local passwords local admin password of lots of machines There's a huge risk and lots of companies not realize that Because a lot of companies will protect domain administrator accounts and kind of forget about local administrator accounts There's progress being made in this area So one thing we can do is we can dump the hashes and then log in using pass the hash Where instead of cracking it we just log in using it and a recent Microsoft patch changed that so that local admin accounts That have been added can't log in with a hash It's only the default ID 500 that that works with so progress has been made but password reuse is a bad thing and we know it but it's still prolific and Local admin accounts if they're not needed then they should be turned off in the same sense that Anything that is not needed should be turned off. We reduce our attack surface massively just by turning things off and uninstalling things that we not actually need a Really good example of something that which is installed on a lot of systems by default is Tomcat Tomcat comes bundled with things and administrators don't necessarily know what it is But it's one of my favorite ways to get into a system is to brute-force Tomcat You said you don't care about the vendor of the antivirus Do you see a difference between the so-called free for for personal use and the professional versions? I tried not to draw a difference between free and paired for and I did that on purpose because I was curious to see if There would be a difference during my nine to five I see the paid for ones because corporations get that warm fuzzy feeling when they've paid for something But I didn't see that much difference between the antivirus aspect of free and paired for I think the engines were very similar From my experience what I see is you tend to get All the free version is just antivirus But the paid for version is antivirus and anti-spam and firewall and it's a bundle the kind of 360 security type thing So no, I didn't see a difference between paid for and free. I think we're done. Thanks guys