Last Friday Artem and I competed in Race to Zero at DefCon 16, using a custom packer we designed and developed for the contest. While designing the packer, we discovered that generic detection heuristics in AV tools make it difficult to create effective packers using traditional approaches. As an example, try simply adding an empty section to Microsoft Notepad and submitting the modified executable to VirusTotal – multiple AV tools will erroneously flag it as generic malware.
As an alternative, Artem architected a packer that places obfuscated malware inside a benign executable. The resulting packer – ZeroPack – uses Quickman, an open source fractal visualization tool. During compilation of the modified Quickman, the XOR-obfuscated malware instance and its corresponding one-time are inserted as binary resources. When a ZeroPack-obfuscated malware instance is executed, fractals are generated and visualized, then unpacking begins.
During unpacking another Quickman process is created in a suspended state and its in-memory image is overwritten with that of the obfuscated malware. A byte-by-byte deobfuscation is then performed, wherein a byte read from the one-time pad is used to XOR a corresponding location of the obfuscated malware’s in-memory image. When the transformation completes, the second Quickman process (containing the now-deobfuscated malware instance) is unsuspended.
Using ZeroPack, Artem and I completed Race to Zero in 2 hours, 25 minutes. We won the “Dirtiest Hack” category (for launching Office on a malicious MS Word documents a modified ZeroPack would spit out) and finished second overall. We have also subsequently tested it with samples from our research malware corpus: any sample we obfuscate with ZeroPack and upload to VirusTotal gets 0/32 detections.
In closing, Danny Quist of OC was right when he called Race to Zero a “Golden Opportunity for the Antivirus Industry.” With the mainstream public starting to learn about the waning efficacy of traditional AV approaches, the time for AV companies to begin moving to the tune of a different drum is now.
- Paul Royal, Damballa Principal Researcher
