[HN Gopher] Blackrota: obfuscated backdoor written in Go ___________________________________________________________________ Blackrota: obfuscated backdoor written in Go Author : lsllc Score : 104 points Date : 2020-11-27 17:37 UTC (5 hours ago) (HTM) web link (blog.netlab.360.com) (TXT) w3m dump (blog.netlab.360.com) | stiray wrote: | I cant really enjoy articles like this after seeing: | https://z0mbie.dreamhosters.com/ (yes, site looks like crap by | today standards, but author was an evil genius) | | and | | https://z0mbie.dreamhosters.com/autorev.txt | https://z0mbie.dreamhosters.com/src/mistfall2/index.html | | "The virus supports a unique new technique: code integration. The | Mistfall engine contained in the virus is capable of decompiling | Portable Executable files to its smallest elements, requiring | 32MB of memory. Zmist will insert itself into the code: it moves | code blocks out of the way, inserts itself, regenerates code and | data references (including relocation information), and rebuilds | the executable. This is something that has not been seen in any | previous virus. Zmist occasionally inserts jump instructions | after every single instruction of the code section, each ofwhich | will point to the next instruction. Amazingly, these horribly | modified applications will still run as before, just like the | infected executables do, from generation to generation. In fact | we have not seen a single crash during the test replications. | Nobody expected this to work, not even its author Zombie.Although | it is not foolproof it seems to be good enough for a virus. It | takes time for an individual to find the virus in infected files, | due to Zmist's extreme camouflage, making it the perfect anti- | heuristics virus." | | Search here for Zmist (Mistfall is the engine with sources in | previous links) description: | https://crypto.stanford.edu/cs155old/cs155-spring09/papers/v... | | What I am seeing today as malware is a joke compared to those | times. The knowledge is just lost. | saagarjha wrote: | It's really not; it's just that malware of today does much more | than that. | aldanor wrote: | That's pretty awesome indeed. | | (And of course, the main source file is named hooy.cpp) | bediger4000 wrote: | The obfuscation appears to be Go being statically linked, so | there's a large number of functions to comprehend, along with the | humans running the source code through a Go-code obfuscator that | renames all functions to randomly-chosen strings, and XOR-encoded | any printable strings. | | That type of obfuscation is pretty common for PHP malware. The | only thing notable here is that the original, human-written | source is Go. | guessmyname wrote: | > _That type of obfuscation is pretty common for PHP malware. | The only thing notable here is that the original, human-written | source is Go._ | | Yes, I can attest that. I worked for a company with a team of | malware researchers and this was a common obfuscation | technique. I would not say the use of Go is novel either. I | have reviewed several pieces of malicious code and exploits | written in Go in the last five years or so. | dwheeler wrote: | If someone wants you to run code that's obfuscated, and it's not | a game, it might be a good idea to ask "why"? It _might_ be | legitimate code... but it might not be. Yes, yes, some | proprietary software is shipped that way... but a lot isn 't. | rurban wrote: | So is it now blackrato.ga or blackrota? I need to block this | domain | 8organicbits wrote: | Use a block list, probably not worth the time to block domains | you read about one by one. | nneonneo wrote: | It looks like gobfuscator just modifies the source code by | renaming package and file names to random strings, and adds | string encryption. The resulting source code is compiled by the | Go compiler as usual, and no further obfuscation is applied. | | This is fairly weak: Go runtime functions are unobfuscated, and | package names are consistently renamed (that is, if "geacon" is | renamed to "ammopppfcdmmecpgbkkj" in one function, it's renamed | that way consistently for all functions). This in turn should | make it much easier to deobfuscate by gradually expanding the set | of "known" package, class and function names. | | XOR-encoding of strings is slightly annoying, but since | gobfuscator replaces each string with an anonymous function, you | could in principle write a simple Unicorn script to emulate each | string decoder function, coupled with some heuristics to detect | such functions (e.g. just look for functions which have an xor | and a single call to runtime_slicebytetostring). | | Having worked on really "heavily obfuscated" code (flattened | control flow, functions implemented in obfuscated VMs, custom | incompatible ABI, cryptographic encryption of code, etc.), this | gobfuscator looks comparatively easy :) | 420codebro wrote: | What is your background? Your experience sounds very | interesting. | jhalstead wrote: | They have their website [0] in their profile, which has some | interesting background. | | [0] https://robertxiao.ca | Quekid5 wrote: | Seems very reminiscent of early java bytecode obfuscators. | antonzabirko wrote: | Excellent analysis | azalemeth wrote: | > 'Having worked on really "heavily obfuscated" code (flattened | control flow, functions implemented in obfuscated VMs, custom | incompatible ABI, cryptographic encryption of code, etc.), this | gobfuscator looks comparatively easy :) ' | | For any HN readers who have not already encountered the | MOVfuscator [1] I cannot recommend this Blackhat talk highly | enough -- the x86 MOV instruction is turing complete, and it | flattens arbitrary code to MOVs. It's also the only time I've | ever seen brainfuck being used as a seriously sensible | intermediate language ;-) | | [1] https://www.youtube.com/watch?v=R7EEoWg6Ekk [I think this | is the preferred link!] | kortex wrote: | I've been experimenting with a technique for string | vectorization: create a "basis space" of N random strings. The | vector of string S is | | `[edist(S, b) for b in basis]` | | Where edist is some Levenshtein edit distance. You can build | feature vectors from these by analyzing adjacency within logical | blocks. Take other known Go software, obfuscate it, and vectorize | it on the same basis. Even though the obfuscation is random, | similar code chunks should project to a similar "shape" manifold. ___________________________________________________________________ (page generated 2020-11-27 23:00 UTC)