The Art of Obfuscation: Evading Static Malware Detection
2024-1-15 21:25:15 Author: infosecwriteups.com(查看原文) 阅读量:24 收藏

This is a technique where the data / the critical part of the malware is converted to IPv4 or IPv6 strings. So during execution this part is again converted back and executed.
For an example , we are taking a msfvenom shellcode payload which can spawn calc.exe upon execution.

Defender removing the file as soon as we compile it.

As soon we compile the malware with obtained shellcode from msfvenom we see defender shouting it as malware.
So the idea here is to convert all of the shellcode bytes to decimals and group them to look like IP’s. In IPv4 obfuscation , we see that 4 bytes of data form a IP.For example “FC 48 83 E4” ( bytes from below image). Upon meticulous conversion, FC assumes a decimal value of 252, 48 manifests as 72, 83 emerges as 131, and E4 culminates in 228. Consequently, the initial four bytes of the specified shellcode “FC 48 83 E4” is transformed into the IPv4 address 252.72.131[.]228 .

Shell code before obfuscation
Malicious Shell code after obfuscation

After obfuscating the shell-code as IP’s we are able to evade defender and run the program.

calc.exe running after obfuscation

Similar to its IPv4 counterpart, IPv6 obfuscation leverages a strategic approach to transform its underlying structure into a seemingly innocuous form. However, a subtle adjustment arises due to the difference in address length — IPv6 utilizes 16 bytes compared to IPv4’s 4 bytes. Importantly, the conversion to decimal values, necessary for IPv4 obfuscation, becomes redundant for IPv6 addresses as hexa-decimals can be directly included. For example the initial bytes of the sample show above would be obfuscated as
FF48:83E4:F0E8:C000:0000:4151:4150:5251

Deobfuscating the obfuscated IP strings can be done using NTDLL API functions “RtlIpv4StringToAddressAfor IPv4 and using “RtlIpv6StringToAddressA” for IPv6 obfuscated string.


文章来源: https://infosecwriteups.com/the-art-of-obfuscation-evading-static-malware-detection-f4663ae4716f?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh