[Dailydave] Protecting your code versions.
Dan Guido
dguido at gmail.com
Mon Sep 22 16:20:24 EDT 2014
I've found it surprising that so few attackers have adopted crypto to
protect their toolkits, even after they have empirical evidence from
malware like Gauss that it works (note: still not decrypted!).
I'm not sure what exactly INNUENDO is using but we've settled on
environment-derived keys as a central part of MAST, our software
protection engine. No AV in their right mind is going to stream your
entire 500GB HD to the cloud for analysis.
These techniques are not only applicable to malware. Our intended use
case for MAST is, believe it or not, iOS application protection. It's
developed in LLVM so it works without modification on any language and
architecture that they do.
More reading:
http://blog.trailofbits.com/2014/08/20/remastering-applications-by-obfuscating-during-compilation/
https://media.blackhat.com/bh-us-12/Briefings/Song/BH_US_12_Song_Royal_Flowers_Automated_WP.pdf
-Dan
On Fri, Sep 19, 2014 at 2:46 PM, Dave Aitel <dave at immunityinc.com> wrote:
> http://vimeo.com/106620144
>
> Everyone is sick of the Kaspersky guys doing three hundred page PDFs
> with a long listing of which versions of some trojan they found were
> installed when, and what features each trojan had, and what possible
> code reuse there was. And of course, if there's an 0day in some random
> trojan, everyone likes to rip that out and spend years pontificating
> about it.
>
> But even if I'm not using 0day, I often want to protect my escalation of
> privilege attacks from the defenders. I don't want them able to track my
> code versions, and I don't want them knowing the details of my
> exploitation methods so they can add more features to EMET or KAV.
> That's why INNUENDO allows you to put a password in that protects as
> much of your implant deployment package as possible. Check out the video
> for more!
>
> And of course, if you're interested in trialing or buying INNUENDO,
> please let us know at admin at immunityinc.com!
>
> Thanks,
> Dave Aitel
> Immunity, Inc.
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
More information about the Dailydave
mailing list