SANS Internet Stormcast Feb 7th 2025: Unbreakable Anti-Debugging;

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9314.mp3

previous

next

Unbreakable Anti-Debugging;

00:00

iTunes

MP3 Download

RSS Feed

Google

Podbean

Amazon Echo

YouTube

Spreaker

Spotify

Discussion

New Discussions closed for all Podcasts older than two(2) weeks
Please send your comments to our Contact Form

Podcast Transcript

 Hello and welcome to the Friday, February 7th, 2025
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich and today I'm recording from
 Jacksonville, Florida. And Xavier today wrote up an
 interesting anti-debugging system that he found in a
 Python script. It is labeling itself as a multi-layer anti
 -debugging system, actually an unbreakable multi-layer anti
 -debugging system. It's implemented in various threads
 that run in parallel. That in itself of course makes it a
 bit more difficult to figure out what's going on here and
 to disrupt these anti -debugging techniques. Some of
 them are sort of well known, for example checks if the
 program is being traced. But also some interesting things,
 for example, overwrite the file itself with randomized
 lines in order to prevent hashing. It also does
 calculate a checksum of its memory footprint ever so often
 to detect tampering. Interesting techniques here,
 of course, they can all get bypassed, in particular in
 something like a Python script where it's not that difficult
 to go into the file and make changes to the file. Like for
 example to disable some of these techniques. And Xavier
 is going over some of the other sort of interesting
 techniques here as well. There are about a dozen or so
 techniques in total that are being employed by this single
 piece of matter. When it comes to remote management tools,
 there's often a fine line between which tools are
 malicious and which tools are beneficial for an
 organization. And that line is usually not defined by the
 tool that's being used but by who is actually using the
 tool. We often see, well most famously, tools like VNC and
 RDP being used by attackers in order to remote control
 compromised systems. Silent Push has a good little update
 on how Screen Connect is currently being used. Again, a
 legitimate tool that's often used by administrators to
 remote manage systems but is also used by attackers. And
 Silent Push is listing some of the techniques they are
 recently seeing here and also some indicators of compromise
 that you may find helpful. In general, when it comes to
 these remote management tools, you must control them. Only
 allow authorized tools to be installed. Attackers often
 install legitimate tools like Screen Connect or VNC to
 essentially hide the tool because it's often then not
 really recognized as malicious as it's a legitimate tool.
 Also, of course, on the network you must control what
 kind of protocols are being used. That tends to be kind of
 difficult these days because all of these tools typically
 at least have a mode in which they can just tunnel over
 HTTPS natively without sort of installing any additional VPN
 software. And Kaspersky published a blog showing they
 found malware that steals crypto wallet recovery phrases
 from both Android and iOS. Of course, different malware but
 apparently coming from the same source using similar
 techniques. Both malware looks for images then runs OCR on
 these images using the Google machine learning library both
 on iOS and Android and then exfiltrating any crypto wallet
 passphrases that they may find. The affected apps have
 already been removed from respective app stores but of
 course, as always, follow up and copycats once an attack
 like this becomes known. In this particular case, they
 included the malicious functionality into a software
 development kit. Interestingly, the iOS app
 they found was a Chinese food delivery app that may have
 just used the particular software development kit. Not
 sure if the entire app was functional or whether it was
 just malicious but very likely that someone who is looking
 for this particular food delivery app would actually
 fall for this scam. And then we got a couple of patches to
 talk about before the weekend. First of all, Cisco released
 an update for its identity services engine ISE. It fixes
 two vulnerabilities that do allow arbitrary code execution
 as well as authorization bypass. And we got a monthly
 update from F5. F5 fixed single TLS related
 vulnerability. This vulnerability I don't think is
 that super critical. It's a TLS sort of session resumption
 vulnerability. Could be used to bypass authentication via
 client certificates, which of course is interesting. Does
 require that you have a TLS does require that you have
 named virtual hosts, which of course is probably rather
 common. Well, that's it for today. Before I sign off, a
 little bit of homework. I'm looking for some feedback
 here. We're just about a month into doing the video part of
 the podcast. I'm still refining some of the details
 here, of course, but the two sort of goals I set myself
 here is, first of all, I don't want to make the audio only
 version any worse. So let me know if I accomplished that.
 And if the video version, which I know actually has
 picked up some viewers across different social media
 channels in particular, if it does help you, if there's
 anything that it could make a little bit better here, of
 course, can really do much more sort of from a production
 value here, just because time is limited to produce
 something like this daily. And eventually I'll start
 traveling again and has to work while on the road as
 well. That's it for today. So please send me any feedback
 and talk to you again on Monday. Bye.