PDA

View Full Version : Anyone know what they mean here?


Sunk
February 8th, 2013, 13:38
Can anyone explain what the bellow blog post means?

Wrap an executable into a python script? Insert (the script?) into a good executable? So they get the opcodes from the malware, and then somehow insert those opcodes into a good program? Is that the same as meterpreter templates?

"Straight" export a program to a Python array? They mean put the opcodes from the malware into a python script, and compile the script into a .exe?


Quote:
The evasion technique is pretty simple, wrap the executable into a python script (you can also use perl and Ruby) then insert it into a good executable or export to a new one.

Poison Ivy - Straight export to Python Array. Pretty sad that it worked actually. This is where I had hoped to create some alerts that I would have had to suppress.

...

http://computer-forensics.sans.org/blog/2012/04/09/is-anti-virus-really-dead-a-real-world-simulation-created-for-forensic-data-yields-surprising-results

blabberer
February 8th, 2013, 16:17
Poison Ivy - Straight export to Python Array.

it means the shell code that poison ivy generated was a python array

it doesnt mean getting any opcode from anywhere

poison ivy is a rat (remote administration T)

it can generate a server or a client app and it can generate them in a variety of formats that include
1) a straight pe MZ
2) a binary blob D...
3) c array 0xF0, 0xFF, 0xFF
4) delphi array $33, $C0, $8D
5 python array \xC4\x30\xF0

the bytes would be almost same but different representation

Aimless
February 8th, 2013, 18:22
And, if you are from an 'older' era... it was much like converting the COM/EXE files via debug.com (remember this?) into plain text and back to com/exe again when it reached it's target. Useful for avoiding noisy anti-virus.

Have Phun

Sunk
February 9th, 2013, 07:44
@blabberer, I see. So they put it in a Python array and could use it like a meterpreter payload that was exported to Python? Is there any other malware that works like that?

@Aimless I'm not really old school, but that's what I was thinking. They dissembled an exe and then messed with it and then compiled it again. Does anyone know what "wrap the executable into a python script (you can also use perl and Ruby) then insert it into a good executable or export to a new one." means? Did they mean wrap the shellcode instead of executable?

Aimless
February 9th, 2013, 07:59
The exe is converted from it's hex bytes into text and this text is stored in a python script. As it's a python script and as there is no real exe (except the hex converted to text), the AV and Malware cannot find it. When I execute the python script, it converts the text to hex and saves it as EXE.

This is typically used to 'transport' files when they can be detected and deleted by malware/av scanners on networks.

To read this in more detail on how it was done in older days, read:

http://www.phrack.org/issues.html?issue=62&id=7&mode=txt

Specifically, read section 5a.

Only thing, here we are not using debug.exe because of old time limitaitons, but python/perl/ruby/whatever to get it in.

Have Phun