I recently sat in on a presentation that discussed how a malicious program was converted (and XOR’d) into a binary file. A second program downloaded the seemingly innocuous binary file and converted it back to the original malicious program on the desktop then executed it. This was to evade perimeter security. While this technique isn’t new, I thought it would be cool to write my own POC.
Getting a malicious file past IDS and anti-virus isn’t very hard and the technique described at the presentation isn’t all that necessary. You can use a FUD packer/crypter or make your own. But one additional stumbling block that wasn’t mentioned in the presentation was how it circumvented the desktop’s software firewall.
There are several ways to get past a personal firewall such as DLL injection, BHO, etc. You can even try to kill the firewall by stopping the service or terminating the program. These methods either require admin rights or may trigger AV’s heuristics engine. I wanted to see if there was another way to do this without getting too complicated.
Anyway, here are my goals for this evening’s project:
1) Bypass the personal firewall;
2) Not require admin rights;
3) Make the download transparent to the user; and
4) Get it past AV’s heuristics engine.
Given these goals, I thought that I would leverage Internet Explorer since the user would have permitted this program in their firewall. One method that I thought I would use is Microsoft’s OLE Automation. With Automation, I can launch IE and set the visibility flag to false which means no windows will show up. The limitation of using Automation is that if I want to download a file like a picture or another executable, a “Save As” dialog box appears and waits for the user to proceed with or cancel the download. However, I can save HTML (or text) to a file without any dialog box appearing.
Now I need to figure out how to convert the EXE file I want to download into a text file. I could convert the executable to hexadecimal but I’m afraid that IDS or AV would detect it as it’s being downloaded. The next best thing would be to UUencode the file or convert it to Base64. I already had code for encoding/decoding Base64 so I thought I would use that.
So here’s the plan: Convert the EXE file to Base64 and upload it to a website. Then let the downloader program download it and save it as a text file. The downloader will then convert the Base64 text to binary, save it as an executable, and then execute it.
Here’s the partial code in VB:
And here’s an excerpt of the Base64 file of the downloaded executable:
The advantage of using text (Base64) is that I could use rot, xor, or some other bitshift method to obfuscate the text to make extra sure IDS and AV can’t detect it. If I wanted to be fancy I guess I could do all this in memory so the downloaded file and resulting executable never touches the hard drive and increase the chances of success.
Anyway, it works! On XP and Windows 7, no IE window appears, no dialog box, no UAC, no alerts and the code is downloaded and executed. Of course there’s other/better ways to accomplish this but this met my goals. And now I have a program I can use for demonstrations and a future pentest.