Ben: Hello and welcome to the next edition of the Hack the Planet podcast. We are joined today by a very special guest. We have Amanda Rousseau, Malware Unicorn: red teamer, malware analyst, and now malware developer and amazing security trainer, whose trainings are available at malwareunicorn.org. Say hello, Amanda.
Malware Unicorn: Hello everybody.
Ben: We're also joined by, our usual panel. We have, Mitchell,
Mitchell: Howdy everybody.
Dan: Hey folks. How's it going?
Ben: And Vyrus.
Ben: Big group today. So, Amanda, I am a huge, huge fan of your reverse engineering and malware development trainings. Specifically I just spent about a month staring into your, your OSX, (phonetic) "dild".
How do you pronounce that D-Y-L-D?
Malware Unicorn: Yeah, (phonetic) "dild". I, well, I would say (phonetic) "di-lid", but uh, some people say (phonetic) "dild". I think (phonetic) "dild" sounds really awkward.
Vyrus: I say (phonetic) "di-lid".
Ben: Yeah, I've been saying (phonetic) "dild" and then feeling weird about it every time I say it. Cause then cause then you're like (phonetic) "dild" you know, for OSX and you have to be really careful about slurring.
Max: (Phonetic) "Dild" for Mach-O is even worse.
Ben: Yeah. Yeah. So, I had an old friend, he used to call that the particular accent of the autodidact, which is where you've only ever read something and you have no idea how to pronounce it. Uh, so (phonetic) "dialed"?
Malware Unicorn: Hmm.
Ben: I liked that. I liked (phonetic) "dialed", "di-lid", "di-lid". Okay. Uh, anyway, so, I recently released a project that was the Universal Loader for Golang. So I did this library for Golang where it has the same interface in Go, no matter what platform you run it on and it lets you load a shared library.
Uh, so there's a, there's a Windows loader, a Linux loader, and OS X loader backend. And I totally wrote the OS X loader, uh, completely out of your training.
Malware Unicorn: Oh sweet.
Ben: And I know... so while I was, you know, I, I'm a bit of a hermit, so I'm not that familiar with what else is going on on the internet outside of GitHub.
But I looked at the sources that you referenced, uh, in the OS X training, cause I was like, you know, what was the source material for this? Like, who came up with this method originally or whatever, and you linked back to this, uh, this Black Hat talk from Synack. Uh, and I went back to the Black Hat talk to see it's like, you know, what other details were in there and that whole training came from like one slide in a Black Hat deck. And then I was like, oh, this is, this is an enormous amount of sort of original work that actually went into this training. So I don't know much else about you, but I know that you're pretty hardcore.
Malware Unicorn: Yeah. I had a lot of fun making all that shell code in there. I was lucky enough to actually get to write some assembly by hand for this one, but, uh, it came in handy.
Ben: Just to go through a little bit about what's in the training, the general idea is, uh, that you're... When you're doing a, when you're doing a loader, you're trying to like load a shared library, and OS X actually gives you, like, without touching disk is the goal, right? So you want to go from a byte array that contains an, you know, an image of a library, to having that loaded in memory so that you can call functions inside it.
And OS X is a little bit unique, uh, in the operating systems in that it actually gives you a couple of system calls that let you load a library from, from a byte array. Uh, and normally that's not something that's super easy to do. Normally they want you to go through the system loader. I'd really recommend this training to anybody.
But the core trick is the system calls that you need to make, uh, to load the library are in another library that's loaded called, uh, it's the dynamic loader library, which is D-Y-L-D however you pronounce that. Um, so you have to find that in memory and then find the exports for the two functions you need and then call the functions.
But there's really, an amazing amount of detail in the training that isn't in any other online source that I've seen. So I really wanted to ask you, uh, like right off the bat, kind of what went into developing that, you know, if there's any other sort of salient details.
Malware Unicorn: Uh, yeah. So, one of the things that I liked about switching to being an offensive security person is I get to write tools and malware and stuff. And so one of the things I liked was switching from Windows to OS X. So a lot of this is like part of me learning more about OS X, um, and learning like compared to the NTDLL loader and Windows, comparing it to the OS X one it's a little bit similar and a little bit different in a way.
Um, so the fact that you have to find (phonetic) "dild" in memory kind of sucks, and the way you do it is really ghetto. And that you have to just keep finding, um, the next header in memory, and then checking if the address is legit and then trying to check the name of the process and memory or the, the (phonetic) "di-lib" in memory, and then finding it that way, which it sucks. But then, you know, having everything off of, you know, a normal offset, uh, if you just keep going down that list, it will eventually find it. Um, and once you have the (phonetic) "dild" or a (phonetic) "di-lid", however you want to say it, and you can do anything from there and, and, um, parse out the symbols, which is great. And then you can, um, use those... once you use those, uh, functions, when you cast, you know, cast the function and you're able to use it, then you can load up whatever dylib you want, as long as you change the header.
And I think I mentioned that in the, in the tutorial there, you have to change one flag in the header of the dylib in order to get it, to run like that.
Ben: Yeah, you have to, you have to change it to a bundle.
Malware Unicorn: Yup.
Ben: Yeah. So the library you want to load has to be a bundle because the, the, the (phonetic) "di-lid" call that you need to use, like checks to make sure it's a bundle.
There were some other weird tricks in there too, basically when you're walking, you have to just walk forward in memory and look for Mach-O headers, which marks the beginning of a library image.
Malware Unicorn: Mhmm.
Ben: And as you're walking forward in memory, there's another trick which is super important to avoid segfaulting, right?
Because when you're walking through the virtual memory space you could hit on an invalid address and if you just try and straight access that, uh, you're going to crash. So there's another trick in the training, which is about using system calls. It was actual system calls like chdir or whatever,
Malware Unicorn: Mhmm, yeah.
Ben: As a way of avoiding a segfault because they'll return different things if memory is valid or not valid without crashing, and this is all just deep OS X voodoo. But it's... it was really... I never would have gotten through that by myself. I could say that a hundred percent.
Justin: I'm very curious... back to what you said Awgh (handle for Ben) when Awgh and I were working on a rewrite of Backdoor Factory, we had a hell of a time finding good information on Mach-O and its structure and just information on it.
How much of this were you able to find, um, in resources and how much did you have to figure out by yourself?
Malware Unicorn: Well I did have some of the, what is it? The, um, what is his name? Uh, the OS X inside, uh, internal books. I read some of those and some of them, I just sit there and read the, um, the source and I think I, in some of the things there today, I put some of the links to the actual, um, kernel code, the XNU kernel code. So I would sit there and go through and read the actual open sourced headers and everything, and trying to see, like, how do you parse the Mach-O headers and go look at the functions, actual functions that are being called so you kind of understand like what they return and what they're doing. But you know, some of these were like, I, I mentioned that I referenced a resource that talks about those functions. So if you take that and then go look at the actual kernel code then you can figure out what's going on.
There's more other juicy functions in kernel code that you can also access. I didn't get really much of a chance. I was more focused on getting this done quickly. I only had like a month to really make something like this. So...
Justin: It's amazing.
Ben: Yeah. Uh, it took me, it took me two months to get through the universal thing and I was copying lots of other people's code.
Justin: I think there's a lot of people out there that, that are looking for this exact information and they don't, they don't know. You know, if they knew this was there, they would, they would be like, "oh, that'd be a gold mine." Right. There's... It's just so many people.
Vyrus: I mean, I remember reading about the, uh, reading that source just to grok how the Mach library works under the hood. Because so much of it is like purposefully, it seems, like, undocumented by Apple, but you can just go read a chunk of the open source code and it's like, anytime you see a missing chunk you can just assume that's something, they moved to their magic RPC server in their hidden little sock someplace. But man, so many dragons.
Ben: Yeah I ended up reading through a fair amount of the (phonetic) "di-lid" code, uh, also. And, uh, I was, I was very excited initially when I remembered that, oh yeah, the guts of OS X Darwin are open source. Like I can just go read this code. And then I went and looked at the code and I was like, actually, this is, this is awful.
It's it's, it's, it's the kind of source code that makes you sad. Like they, they, they do a lot of, uh, like error checking that will force a crash. Uh it's just like, it's, it's really, it's some of the worst, uh, source code I think I've seen.
Vyrus: There's also a lot of stuff that like calls the internet for no reason where it's like, it's like the Apple version of an open-source tool that like helps you by updating a resource that just pulls from random place on the internet with absolutely no checking of crypto.
Ben: So what I was, uh, I was implementing my loader from, from the, the, the code in the training. Uh, the only thing I really had to change from the training, which you already just said, so, uh, I might accidentally be outing, uh, something that was left in there, uh, broken on purpose.
Uh, but the code in the training kind of made me think that, um, that, uh, dyld was always going to be the next image ahead of your base image in memory. Um, and it, it, it, isn't, it's sometimes like two or three up, uh, so you really do need to, like you scan for the OSX or the Mach-O magic number.
Uh, and then you do need to look at the image name and if it's not dyld move on to the next one. Um, so that was the only bit, I, I really had to change from what was in the training. Uh, and, but everything else just sort of worked out of the box. And it was, uh, uh, I was really just sort of marveling, like, who made this, like, you know.
Justin: This is the kind of documentation that we need.
Ben: Yeah. Um, and the other trainings on that site, So you've got, uh, some reverse engineering trainings. Uh, RE 101 and, uh, RE 102, I think.
Malware Unicorn: Yeah.
Ben: And, um, which are just sort of basic like malware analysis and I guess advanced malware analysis. Um, and, I also like one of those from a conference that you did is on, is on YouTube, but there might be more, um, so I, uh, I've looked through those and I saw you, uh, uh, do one of the trainings on video.
And I'm, I'm really, uh, kind of blown away by how, um, effectively you can kind of, you know, put all of the information in the right order and, and, uh, explain it in a clear way where people can follow along.
Malware Unicorn: Yeah, well, little does anybody know... I actually have a graphic design degree, so a lot of this stuff comes naturally for me.
Ben: So it's really, so you really have a lot of experience in like presenting information in a consumable way.
Malware Unicorn: Yeah. Changed careers last minute. And I can still use it.
Vyrus: So you're a graphic designer, a fashion person?
Dan: Yeah that's a rare pivot and I've never heard of that.
Ben: Yeah. That's, that's actually incredible. Cause I, I, uh, I've known a lot of really excellent hackers, but it's a very small minority of them that can effectively explain what it is they're doing. You know?
Justin: And then on top of that, the, what the want to do. So, uh, and the, to take the time to, uh, make slides that are, uh, have such a good explanation. And step-by-step, uh, and obviously it helps to have a graphics design degree while you're doing that. Right?
Malware Unicorn: Yeah.
Ben: Um, well, I was going to ask, I was going to ask you specifically about the malware unicorn.org site. Uh, because it's like totally beautiful, you know, and it's like, obviously there's a lot of customizations for training.
Uh, and I did a little, like I ran the What Runs plugin on it to try and figure out if it was like a WordPress skin I could steal or something. Uh, but I was going to ask sort of what... is that totally custom or what is that?
Malware Unicorn: Yeah. So I sat down one day, I was like, I'm going to learn some React. Um, and there's like this tool that Google put out and you can convert your Google docs into like one of these trainings.
Um, I think I forgot the name of it, but I can share it later. Um, and it will convert whatever you wrote in a G-doc and turn it into like the nice UI there. I just kind of switch it up a little bit to have the colors that I want. Um, but most of it is just sitting on my GitHub pages and it, it just like serves from there. So.
Ben: Super cool. Yeah. I've sat down on several different days and tried to learn, React, uh, but still, still can't write React.
Malware Unicorn: Yeah. I wanted to talk about that. Uh, so growing up, I did not have a great experience learning computer science or coding or anything like that. So a lot of it was either on the job or, you know, me taking more time on the weekends to catch up.
And so for me, it's like an incentive to give back to people, to, to teach them in a way that I would want to be taught. Um, you know, growing, going through school, I almost failed my assembly class. Um, until I actually talked to the teacher a little bit. Um, so looking back, I'm so glad that I can give back to people, uh, in a way to teach them a little bit about, you know, what I've learned.
Justin: I was so going to point that out the way, the way, the way that you present it. Um, there, there, there's some motive behind there, uh, for, for giving back that is obvious in, in your presentation. And that's what I was wondering about. And you just explained it, why that's...
Ben: I think, you know, we've spent a lot of time talking about in previous episodes, sort of like the old, old hacker culture being mostly about kind of beating people up, beating each other up, like hacking each other's, uh, IRC channels or whatever.
Um, and it, it wasn't very, uh, welcoming. It was more kind of, uh, everyone was sort of, you know, fighting with each other and developing skills that way. And then we all get old and realize, you know, that we need to hire like 10 more security engineers for our team. And there just aren't security engineers to hire, you know?
And then, so everyone's sort of going back and being like, well, you know, maybe we need to, um, uh, uh, spend more time on training, you know, or we need to actually have, uh, some kind of training program. That's not just, " You're stupid, like get, get smarter," you know, um, And so I, uh, with that in mind, it's, it's like, I'm always, I'm always super interested, uh, when I come across somebody who seems to have a real gift for, uh, doing like security training.
Right. Because part of it is, it has to be, it has to be more hands-on than other kinds of training. Cause there's, there's some kind of intuition you have to help people build. So I wanted to ask you kind of a little, a little bit more about your philosophy of, of, of how to do a training. You know, how do you think about presenting this kind of information.
Malware Unicorn: How to do a training? Um, well, I'm a very visual person. Um, so for me to explain something in like a diagram or, um, in like, uh, like one concept per image, even with slides, like I try to do one concept per slide, uh, and keep, you know, things big, big sentences, big letters, whatever. Um, just so that people can digest something in, in one instance, rather than like a page. Kill, kill by, uh, what is it PowerPoint with just like a page of text?
Vyrus: Death by PowerPoint.
Malware Unicorn: Um, yeah. Yeah, Death by PowerPoint. Uh, I think that's, that's kind of what I go for. And of course, things have to look nice. Um, it's kind of, one of my downfalls in getting things done is, is making sure it's looks nice the way I want it to. So, um, that, that that's another factor. Um, but as far as like trying to understand something, I kind of want to break it down into the most basic thing possible.
Like how do I explain this to somebody who is not in the field? Um, I always have to think about that. Like, how do I explain this to my mom or my, uh, my sibling or, you know, someone who just entered the field. Maybe, maybe it just comes with time in order to take these abstract ideas and turn them into something more concrete. You just have to use like a lot of metaphors and everything.
Justin: I had a great teacher one time who told me that, when I'm trying to break down concepts, think about trying to communicate to a very smart 11 or 12 year old, even if it's an adult. And, uh, yeah, no, I, I kind of, I kind of see see what they were saying.
Um, it made a lot of sense to me in that sense, because you know, some people just don't have natural talents in certain areas. Uh, so break it down to that level and it's easier to understand.
Ben: Explaining stuff to my mom's probably a bad example specifically because she doesn't actually care about anything computer related. She's just... every time I'm talking, she's just trying to figure out if I'm happy or not. And then once she figures out, if I'm happy or not, she she's like, oh, that's all I wanted to know. Right. So.
Malware Unicorn: Yeah, I think one of the examples is like, if I'm talking to, um, someone, I think I did this to one of the journalists before, and I was trying to explain that what, what it means to have different architectures, like ARM versus Intel and all that, and why the new Macbook, that's the M1 that's coming out or that came out what's different.
And then I explained it in like, okay, so you have a car brand. Right. Um, and that car brand uses different chassies that come from different two different companies. And so these chassies are not interchangeable, but the hardware that you put on them or the same, you know, but it's built for that chassis.
So the chassis is essentially a different architecture and then it kind of like a light bulb hit in their head and they were like, oh wow. Now I completely understand what you mean. Why you know, you know, certain software doesn't work on a particular operating system, so, or architecture. So, uh, you know, things like that, just really simple.
Ben: That makes me, that makes me. It's it, you know, it might be an advantage to have other sort of non-tech information so that you can sort of use those concepts to communicate with other people. Um, and I'm just, I'm just suddenly thinking, like the people that I know that are really focused on one thing and they can be really, really good at it.
Those are, those are the people that, that have a lot of trouble sort of up-level upleveling concepts or kind of communicating what they're doing to other people. Um, so something just clicked in my head. Well, so you mentioned, you mentioned that you, you started out, uh, working on a graphic design. Uh, I'm wondering, kind of, how did, how did you get into InfoSec and in the first place?
Malware Unicorn: Ah, yeah, this is a fun story. So I actually went to school for graphic design and art. I mean, still, I still do it on the side. Um, but in, in college I switched to computer science, uh, last minute. Um, mainly because my dad he's, he's also in, um, the InfoSec industry and he told me, Hey, go take a computer science class with your brother so he doesn't fail. And so I was like, okay. So I took a class and I realized that I loved it, uh, became a tutor and a lab instructor. Um, probably I was like one of the only four girls to graduate, uh, that I remember. Um, and it just like blossomed from there.
So, uh, after that, I knew I, since I, my dad was sort of in the field, I kinda knew of these, these, um, uh, job titles and like what a reverse engineer was or network security person was. And I didn't know exactly what they did. I just knew that maybe I should be one of those people. So the first job out of college, I went to work, um, for the DOD doing some analyst work or forensics work and, uh, you know, worked my way up the chain there to, to get where I am now. Uh, it was a grind though.
I mean, I used to image, uh, was it hard, hard drives and take them out of the case and break a nail. And then eventually I did, you know, worked my way up to learn how to do intrusion investigations. So.
Justin: That is not a common first job out of college.
Malware Unicorn: No it's not.
Ben: It's uh, well, it's getting a little bit more common, uh, uh, these days, but.
Malware Unicorn: I think it's common for college kids who have no like backgrounds so they can get their clearance.
Ben: Yeah. But forensics is, uh, really boring, uh, or it has the potential of being incredibly boring, like
Malware Unicorn: Hence why I learned a lot of stuff.
Ben: Yeah. But boy, picking through an NTFS journal is like... So something I also did in my early twenties. And, uh, I'm glad that I don't have to do that anymore.
Max: It's certainly a good way to learn about some of this stuff, uh, is because you, you ended up getting, uh, you know, if you're doing forensics investigation, you, you end up learning so much about like the actual exploitation process and like, cause you're like, okay, how does yeah, how exactly did this happen? Even if you're just doing sort of recovery and not even doing a full forensic investigation.
Ben: So you're a second generation InfoSec person. There really aren't that many of those out there.
Dan: Pretty sure. That's the first for our show too.
Ben: It's it's the first, yeah, it's the first one we've talked to anyway.
Max: I think you're the first person I've talked to in general, like a generation...
Ben: I'm racking my brain. I think, I think I might've met one other person who's who's uh, who, who had a parent who was like one of the people that escorted crypto keys around with a handgun or something, which was technically InfoSec in the '70s.
Dan: That's a, quite a literal interpretation of InfoSec, but yeah.
Malware Unicorn: Yeah. I think my dad is like one of the people that works for insurance companies now and like works with the ransomware victims. Um, But when he was in his heyday, uh, he helped stand up the FBI SOC. So I think he, you know, knew a little bit.
Vyrus: Well, that explains the school track because I'm over here listening to people talk about likely college stories and I'm just like, "College. What is... What?"
Ben: So, if you want, if you want to be as good at, uh, InfoSec stuff, as you, like, step one, like, have different parents.
So, um, I gotta to ask too, you mentioned that, uh, your, your dad asked you to take this class so that your, your brother wouldn't fail.
Malware Unicorn: Yeah. Oh he failed.
Ben: But was that just to make sure he showed up or, or, or like, so he'd have some competition or what was?
Malware Unicorn: Like someone to help him with his projects and homework. Um, we weren't in the same class, but we took classes at the same time, but, um, he eventually got a girlfriend that kind of like ruined his, his school life.
So he just never showed up anymore. And I just kept going.
Ben: Wow, that's amazing. So after the DOD, uh, what did you end up doing?
Malware Unicorn: Well, I realized like how shit the pay was, so I don't know if I can curse, but, uh.
Ben: Oh yeah.
Malware Unicorn: Okay. So I had decided to go to commercial, uh, intrusions. So I did a lot of, um, uh, commercial breach investigations. I think one of the investigations I did one ended up on like Krebs on Security one year. It was epic. Um, but I did the forensics for that. After that, I was like, man, I can't keep traveling. Cause I had just gotten a puppy. So I had to like move somewhere. So I moved to the Bay Area. And then I worked at FireEye. I landed at FireEye, which was an interesting, interesting job. I got there right before the IPO. So that worked out.
Vyrus: I was gonna say, was that pre or post merger?
Malware Unicorn: Yeah.
Ben: So I've had a couple other friends that worked at FireEye and they really learned a lot. Uh, by, um, you know, seeing malware basically.
Malware Unicorn: Yeah. Uh, is it "Mandiant" FireEye or "FireEye" FireEye?
Vyrus: It depends on who you ask. It was cause, cause like that's actually, I have actually had that experience. I've actually walked into a room and said it one way and had one person say it the other way and look at the other person. And then the other person looks at me and says, no, it's the other, and like they actually fight about this.
Malware Unicorn: Yeah. Yeah. I know. I came in on the normal FireEye FireEye side, so it was mostly malware research. Um, so I had to write a lot of the rules that they use in their VM. Um, which was interesting. Uh, I got to see a lot of malware. Yeah. Their VM.
Vyrus: In "air quotes."
Malware Unicorn: Um, and so, I mean, I would be looking at, uh, at least... I would try to process through like 50,000, um, samples and try to bubble up a lot of those. So I've seen a lot. Um, but after the IPO, you know, everybody started to leave. All the great people's ready to leave. And so you're just sitting there, "Well, well, I don't have any fun people to work around anymore." So might as we'l move on to something else. And that's when I wound up at Endgame.
Vyrus: Oh, I was going to ask. You ended up at like Bloomberg for awhile right?
Malware Unicorn: Oh no. Uh, I just did that Bloomberg Live event. So, um, which was scary. I don't think I want to talk in front of venture capitalists ever again, but, um, uh, yeah, you know, these, these, these, uh, journalists they'll come up to you, like, "Hey, you want to do something for... speaking in front of people live?"
And I'm like, okay, when you're, when you're working for a startup, they want you to do a lot of PR stuff for them. So.
Ben: That's how I ended up getting my first DEF CON talk. I was working for a startup and they were like, "Go to DEF CON, give a talk." And I was like, yeah, they don't, they don't let you do vendor pitches. And they were like, "We don't care. It's like good press."
Malware Unicorn: Yeah. Any press is press right?
Justin: Was that your Lisp talk?
Ben: Uh, no, no, that was a couple of talk later, but that was the talk where I discovered I had a paralyzing fear of public speaking.
So you had a, you had a quote, you have all this like really sort of deep technical experience, uh, and an amazing level or amazing ability to kind of up-level it. And, uh, kind of extract the core concepts and present them to people who don't necessarily understand anything about the topic. Uh, but the thing that's that, that also really caught my attention.
Is, um, I don't, I don't know quite how to explain it, but you're also trying to communicate why it's fun or why it's interesting. So I actually, I actually wrote down a quote from one of your, uh, one of the trainings that I've watched online. So forgive, this is a little, this is a little paraphrase, but you said you, you kind of tried to motivate it upfront and you said there's always more things to reverse, you know, in everything in life that you want to learn. You have to take things apart to figure it out, you know, to figure out how they work. Uh, and I, I thought that was just like, I'm totally going to steal that basically. Um, but your, your example was, uh, that you took your clothes apart to learn how to sew.
Malware Unicorn: Oh yeah. Yeah. When I was younger, I used to do this a lot. I would like take two different pieces and spice them together or, uh, take things apart and try to make something new with it. Um, I, it kind of is like, you know, if you play with Legos, I think that was one of the things. Like you take apart a Lego set and you build something else with it. Right? Or you take a portion of it and use it in somewhere else.
So it's the same concept with everything I do, I guess, like reverse engineer... your life.
Vyrus: I'm curious only because my better half also does that. Like literally takes clothing apart, uh, to like figure out how to make different versions of it. And she always talks about how, or at least the way she does it is she takes the stuff apart and then makes a pattern out of it and then uses the pattern to make the actual clothing.
And like, one of my, I'm asking, because one of my like side projects that I guess is like a honey-do list item on it. It seems weird to call it that is training a, like an ML bot thing to size a reverse engineered pattern. Because apparently like you can't actually like, you know, obviously I don't actually know what I'm doing when it comes to sewing.
Like, you can't actually do that. Right. Because like some parts of it don't scale linearly within like one measurement to the next, or there's like, there's like some heart to it.
Ben: Well, also I think the, how stretchy the fabric is that's involved changes.
Malware Unicorn: Yeah the bias.
Ben: Yeah. Wait, what did you call that? There's a technical term.
Malware Unicorn: The bias. Yeah. Like if it's cut on the bias, it's just like the way the fabric stretches.
Max: It's like, there's the diagonal stretch too.
Vyrus: Yeah. Well, so that was you do? You make like a pattern out of it or do you just like YOLO, I'm just going to take this apart and be awesome?
Malware Unicorn: It's more of like, I don't know. I'm one of those types of people that like to feel fabrics and see how it works. Cause I like to like, feel how they are, because that's like your, your ground work of what you're working with, right? It's like your medium. So it's the same with like tools, um, and what you use with the tools.
So depending on how it stretches or how the pattern lays and everything, it all determines on like what type of pattern you're going to make for it, or even where like all the darts and, and points you connect them. Um, but it, it sounds like your better half might, um, be interested in reverse engineering.
Vyrus: You know, I tell her that all the time and like she's been coming to DEF CON almost as long as I have. And she keeps being like, no, no. And I'm like, I don't know.
Justin: Speaking of, of, groundwork and tooling, when you were first learning, reverse engineering and assembly language, did you have any particular influences, uh, authors, books, resources, or, um, just things that you reverse engineered yourself that really, that you would call like the, the cornerstone of your learning or, uh, you really look back and say, uh, that helped me a lot that, uh, these resources are like what got me into it or what got me really going?
Malware Unicorn: Well, Uh, in government, maybe it's government, maybe it's reverse engineering. You're assigned like a mentor mentee kind of, uh, my, uh, start when you, when you get into the field. Um, and one of the things that he made me do was read the, or, go through the Lena tutorials. They'll reverse engineering, Lena tutorials. And that's basically most of my foundation. Like I, even though I did okay in assembly, like that was the one training that helped me do a lot of reverse engineering.
And then on the job learning, I think one of my first, um, malware that I got to do was Poison Ivy. I don't know if you've messed with Poison Ivy. It was kind of,
Malware Unicorn: Yeah.
Vyrus: That one takes me back man.
Malware Unicorn: Yeah. So, you know, having that to start with that, that helped a lot that like set the groundwork of solving a puzzle.
Vyrus: Was it like, was it like the old school one, or was it like the after Dark Comet came out and they ripped off a bunch of stuff from dark helmet one?
Malware Unicorn: Uh, I think this was before Dark Comet but I do like Dark Comet.
Vyrus: Yeah. Yeah, man. There was there, there, there was like a golden age, right? It was like, it was like Poison Ivy and Dark Comet and Black Hole. And what was the other one, like it had like Nimrod or some, some weird name like that. And.
Malware Unicorn: Yeah.
Vyrus: Ah, nostalgia.
Ben: I always pronounce those, the (phonetic) "lean-uhh" tutorials. Cause I, I, I thought it was like, someone's name was Lena.
Malware Unicorn: Oh, is that how you supposed to say? I always say (phonetic) "len-uhh"
Ben: I have no idea, uh, but I actually will link to those in the, um, in the program notes. Uh, but there's like 41 different levels or something like that. Um, and they've gotten a little bit harder to find on the internet, but I actually just tracked those down again relatively recently. Like there's a mirror of the whole set.
Malware Unicorn: Yeah. I think they start out with, um, like a lot of cracking, like, um, program cracking, which is, which is fun. I mean, uh, you're going to need to learn that to get around like anti analysis stuff, but, um, yeah.
Ben: Yeah, the (phonetic) "lean-uhh" or (phonetic) "len-uhh" tutorials are, are, uh, it's a really common thing to hear that somebody, uh, started out on those, uh, for the malware reversing side. Um, the it's kind of like, uh, for exploit development there's a kind of another, there's another site that, uh, almost everybody starts out on, which is, uh, Gera's Insecure Programming. Um, and, and those are, they're kind of like the, the Lena levels, but, uh, really focused on, uh, exploit development, uh, on different platforms. Um, and there's like nothing about cracking at all.
But those are, uh, it kind of speaks to how rare, really good trainers are, uh, that there aren't, you know, dozens of these things, there's really just a handful of them. And that, and that when you ask somebody who's like really good at something, like, what did you start out on? They almost always say one of a handful of things instead of all different things.
Malware Unicorn: Yeah.
Justin: I think, you know, that speaks to, uh, there being so many positions in the industry unfilled, uh, it goes back to the, that lack of good training. We need more good training.
Ben: Yes. Uh, well, I'm, I I've already been pointing people at malwareunicorn.org a lot, uh, especially because that's like the thing, if you're doing OS X malware at this point, that's the most fleshed out, uh, resource I've seen.
Uh, and it links back to that Synack deck, which is like one slide on every topic, which is not enough information to actually do anything. But, you know, at least it'll send you into the right part of the Darwin code where then you can suffer.
Vyrus: Which is, which is really important, right? Because like Apple and the way that their ecosystem works, like, they're just, there's not as much impetus on the Windows ecosystem to keep up with things, right.
Because it's like, you know, that for cross compatibility and the fact that. So many of the world governments entirely run on Microsoft. Like the old stuff isn't going away. Right. So they may come out with a new way tomorrow, but the old way is going to work for at least another 10 years. The Apple, when something gets deprecated, you got like a week, you know? And then all of a sudden, like everything's patched on the new version. And it's like, the change is a big, I mean, I end up referring, like, I've recently had to refer to the content on your site because, like, the only stuff out there on the thing I'm looking at is like, well, I'll just go read the code, but I need to go, I need to know where to go look. So I'll go look at like the Mac sysinternals, like three-part handbook, or I'll look at like, Dino's book that he put out a few years ago to see if it's referenced. And either there won't be anything in there because the structure is too new or it is referenced. But like, even before I finished reading the paragraph, I know that this is old.
And like half of it's been like deprecated and that means that some of it still works, but some of it doesn't work and Apple doesn't tell you which parts of it are which, and so I ended up just like, well, let's see if Malware Unicorn's already written about this. Oh yeah. Okay. Now I know where to go look.
Malware Unicorn: Yeah. I also took, I, when I went to REcon, I also took, uh, Stefan Esser's, uh, OS X kernel exploitation class, which was really good. He was the one that kind of like pushed you to read a lot of the kernel code. So I think that helped, uh, with. You know, just getting into that mode of, okay, so nothing's documented for Apple. Let's go read any of the open source code and like start from there. So if you, if you ever get a chance to take his course, uh, it's, it's a good learning experience. Even, even though it may not be applicable to your everyday job. It's good to, to see how he looks at patches and does things.
Ben: And he's a, he's a machine too. Like, so he, he was, uh, previously famous for just continuously destroying everything related to PHP, uh, for like a decade. And then at some point, uh, he decided, uh, PHP is dead. Uh, I'm going to switch to iOS, like Apple stuff. And then he's just been sitting on, uh, uh, destroying Apple stuff ever since.
Vyrus: But then WordPress happened and they saved PHP, and now we still have it.
Ben: I wanted to, uh, I wasn't quite done with the fashion topic yet. So, uh, all, all of the hackers we talked to have some other interests that they also get like super into. And, uh, like some, some people are into like, uh, messing with their cars. You know, we just talked to somebody who, uh, likes to, he's like a gunsmith. So he's like obsessed with restoring old guns.
Um, and then we've got Vyrus here. Who's into eating old meat. He likes to call it some fancy Japanese age something, but it's basically just old meat.
Vyrus: It's called dry-aging.
Ben: He gets meat and then he lets it get old and then he eats it. But it's, but it's like fancy for some reason.
Vyrus: I also make my own gin and like playing music and stuff.
Ben: There you go.
Malware Unicorn: Oh, shoot. So bougie dried meat.
Max: Does the gin go with the old meat?
Ben: Uh, so do you have a lot of fashion or, uh, clothes based, uh, projects?
Malware Unicorn: Uh, yeah, I wanted to actually start a fashion business, but you know, that's probably later in life, but now, you know, it's hard to like start things and then finish them. Um, like even now I think when I was, uh, just first getting pregnant with my little one here, I wanted to make a game.
Like I wanted to make my own little, uh, was it, uh, multi, uh, platform? Um, like kind of like the Clash of Clans, but for hacking.
Malware Unicorn: But, uh, you know, I'm, I'm in the concept phase at the moment. So it's, it's hard to find time right now to do my day job and like come back and like code stuff and draw stuff.
Um, but it, it all depends on like what the flavor is that year of what type of side project I want to do.
Vyrus: I saw a game, kind of like that once at a, an anime con, of all places.
Malware Unicorn: Oh really?
Vyrus: Yeah. It was a startup that had, that had made like a RPG Final Fantasy style, a JRPG clone. It was like, like, you can, you could tell that, like they spent all the money on like licensing the art from like Comiket or something.
And like the whole time the character is like standing there and the music's playing. It's like Final Fantasy, you know, they're like sitting there and stays this and then you write your code and hit enter and it would like, run. And if it errored they'd like punch themselves there, it ran but it wasn't effective because of this whole thing.
Justin: Can we do that? Can we, can we do that with assembly?
Ben: It sounds kind of like Screeps. Oh, there, there is a game like that for assembly.
Justin: Is there?
Ben: There's a couple of games by a local company here. Uh, Zachtronics, um, and, uh, Zach, even like, he's come out to DEF CON and stuff too. Then everybody, I think I was really drunk when I met him and I gave him a big hug and told him he was going to save humanity and it got weird, but he made two games. I mean, as I do. Right.
But, uh, he, he he's made two games. Uh, one is like TIS-100, where you do, you solve puzzles with this? He made his own little assembly language, which is pretty close to real assembly language. And it's a puzzle game where you, you have a limited number of lines to write assembly instructions and you get, um, you get more points for writing the most efficient code that like solves it and it's like massively kind of parallel.
So there's like blocks of code that talk to each other. It's really simple, but it's really complicated and it's amazing game. It's on Steam. Uh, but then he did a, uh, another game, which actually you write chunks of assembly and then you also kind of build a hardware board around it and there's different levels and puzzles and things like that.
And it's called Shenzhen I/O. And Shenzhen I/O is, uh. Up until I just, I just lost like, uh, uh, uh, two and a half days to Evil Genius 2. But, uh, the amount of time I lost to Shenzhen I/O is like a month and a half. Um, and I still feel guilt. I wait, I still feel guilty sometimes that I'm not playing Shenzhen IO. That like, that's how hard it gripped me. Uh, it's like Civilization bad in terms of addictiveness.
Max: He also made the first, uh, Minecraft, uh, before Mojang uh, ripped off the idea.
Ben: Oh really? I didn't know anything about that.
Dan: So, I mean, like I personally think in, in kind of tying it back to the vein of training, like I'm really fascinated and interested, I want to see more investment in, uh, gamifying the, the tools, the techniques, the process of becoming good at assembly ,native development. Like there, there are these like a lot of, I mean, everybody recording today, right? Like you learned these things through commitment and diligence. It wasn't exactly designed to be accessible in any way, shape or form.
And the further we make investments in gamification, I feel like that's just really widening the spectrum and accessibility of that material. Right? Like.
Malware Unicorn: Yeah.
Dan: So I think that stuff is really cool.
There is one other local project I'd like to kind of flag, uh, on this topic, uh, which is Robot Turtles.
Uh, so Robot Turtles started as a Kickstarter a couple of years ago. It's a, uh, it's a game that is designed that you can play it with kids as young as like three or four. Um, and you can make it more complicated as they get older, but it basically teaches, uh, the, you know, the, the fundamental programming concepts like branching and having a set of instructions.
And it's kind of like making Logo, uh, the old, uh, uh, computer program to teach kids how to program from the '80s. It kind of makes, that, where you move the turtle around.
Malware Unicorn: Oh, yeah.
Ben: So you, you write a little a Logo program and it says the turtle like changes his line color to red and he steps forward 10 steps. And then he turns right. And he steps forward five steps, and then he turns right. And then you can, you can draw, um, uh, all kinds of stuff with like Logo instructions. And at the beginning you just sort of make a mess cause you don't know what you're doing, but you can actually, um, basically do kind of like vector art with it. Um, if you get good, of course, you know, that was for an Apple II.
And like it's kind of garbage now, but, um, they basically made Logo into a card game where, uh, you, you, uh, you, you set these like gems out on a, on a map. And then the, the kid has to steer the turtle to the gyms by creating a stack of cards, uh, with instructions. And then you turn the cards over, uh, one at a time and, and move the turtle around.
And, uh, uh, I actually got that for my, my sister and she played it with, uh, with her daughter when she was, uh, four or five. And, uh, there was this kind of like, I was trying to secretly teach my niece how to program without her realizing it was happening. Um, and I, I had just asked her recently, like, well, what do you think of Robot Turtles?
And she's like, "I love Robot Turtles!" Uh, and, uh, and I was kind of like why and, and she was like, "cause I, I, cause I get to tell Mommy what to do." Basically. I was like, she puts the cards down and, and like, she just, she just loves it because like she sets up the sequence of actions and then, uh, her mom like does what the actions say to do.
And that's the kind of the level she's, uh, she's interacting with it at. But, um, I thought that was, uh, yeah, it was pretty cool. But there aren't, uh, there aren't a lot of, I mean, I think I like the Apple II kind of, uh, stuff aimed at six year olds was probably where I first learned how to program.
Um, and it seems like, uh, you know, kids now are sort of growing up with, uh, smartphones running all the time, you know, like YouTube videos or whatever. And it seems really abstracted away from how those things actually, you know, there's like a user experience, which is different from understanding how the thing works. Right?
Malware Unicorn: Yeah. There's also, I don't know if they've upgraded it, but have you heard of like Lego Mindstorms?
Vyrus: Oh man.
Ben: Oh yeah.
Malware Unicorn: Yeah.
Dan: Yeah, definitely.
Malware Unicorn: That's what I had.
Max: I was jealous of all the kids with that.
Vyrus: So I had one of the first kits of that. Um, and I remember like I was, I was at just the right age where I had just started to learn a little bit of C, cause I was up to no good by then.
And, uh, the Mindstorms, they actually published a C API with like the very first version and, and like, man, I remember thinking I was so cool cause I was like programming a robot C that I like barely knew. Um, and my mom was a third grade teacher, so she used to get all these, like one-off like educational aids.
It's kinda like, it's kinda like, you know, doctors get like pill samples for free that they're trying to like move units. So like teachers kind of get the same thing. So my mom would have all these like one-off units of educational stuff. Um, and most of them are like, you know, dumb little like, uh, letters backwards and trying to like, you know, whatever.
But I remember one of the things she had also, it was called Capsela. I don't know if it's still around and it's like, it's like a, like think Erector set, but like everything's in its own little plastic bubble and they're all standard. So they fit together like Legos, but they have an electric motor in it and like a ballasts and like a switch and a servo.
And like, so you build these like kind of analog, modular robots, and they were all like hermetically sealable. So you can make like little submarines and stuff. It's crazy.
Justin: I think, I think it is really great. How much of that exists now? Um, I wish I would have had more of that growing up. Uh, I do see a little bit of a difference, um, in, uh, the type of stuff that we see on your page, uh, and it's, it's a little bit more, these are the kinds of things that a person has to really delve into on their own, right?
Uh, and, and really want to do. And when I was, uh, 20 years ago, uh, studying the area that I loved there, there just wasn't any documentation yet, you know, and, uh, people were still having to figure everything out for themselves. And I feel like this, uh, these, these types of trainings that you do, or that are, this in-between, this is for, after all the kids have done all this cool stuff that they have and the turtle games and the kid games and stuff.
Right. And then they, uh, they get to look for what, if they want to stay with computers, find the area that they're passionate about, uh, and then not have to look really, really hard, uh, to find information about it or figure it all out themselves. We're going to have a generation of, well, if we have people that can keep producing more good content like this, um, like yourself, then you know, we're gonna have a generation of people that have access to that information more quickly, and don't have to figure it out themselves and spend hours and days and weeks. Although that, I guess that's part of it too. Right?
Malware Unicorn: It's like those darn kids back in my day, but I completely understand, like, it's, it's trying to, and there's a difference between giving everybody the information and then like leading a horse to water, right? You can't, in a way when you're teaching you can't really give them the answer.
You have to have them discover it as well. And I think I've done this a little bit in my workshops where I tell them to recognize patterns and get to the, to get to a goal rather than show them what that, what the answer is. Um, and I think that'll help them from like memorizing content versus like discovering it for themselves.
Ben: Now that you have a, uh, a little one, I'm kind of wondering, um, and, and you have this like aptitude for, uh, doing technical trainings. I'm, I'm really kind of curious, like, you know, are you, are you going to try to teach your kid technical stuff at some point?
Malware Unicorn: Uh, yeah, I mean, she's already like jabbing keys on my keyboard trying to mimic me. So I think it's more about puzzle solving or problem solving, um, because that's how I describe my job is just like, I'm just solving a bunch of problems. Um, and like trying to think outside the box, that's one of the things, um, that she should learn is like taking basic concepts and trying to apply them to something different.
Uh, so hopefully when she gets older and she can put blocks into, um, different block shapes, maybe she'll have some problem solving skills, if not. Oh, well, and I'll still love her.
Vyrus: Man, let me tell you that moment where they figure out that the keyboard they're tapping on doesn't actually do anything and they get super mad and they're like, no, I want to type on that keyboard that you're using, because it actually changes the screen like, oh, so much, so much of that tech babysitter goes away.
Malware Unicorn: Oh yeah. Oh yeah. Oh no. She's she already does that with like remotes and phones. Like she beelines to my phone because she knows that she could swipe it already. And she's only nine months old.
Max: Hook up the keyboard to a Perl interpreter. I'm sure it'll turn into some stuff, some sort of programming at that point.
Malware Unicorn: Yeah, my, my, my father is already asking me like, "Hey, can she pick locks yet?" Thank God, no.
Vyrus: Yeah. Is mine's three and he hasn't successfully done it, but he's gone through my, uh, picks and he's pulled one out and he's stuck in a lock to quote unquote, see what it would do. So like, I'm sure that day is coming and like, his sister'll be born in a few weeks so that it's like, I wonder if she's going to outrun him, well wonder who's going to be the first one?
Malware Unicorn: Well, it sounds like she might be like a little social engineer. She's going to be the youngest making the brother do stuff.
Ben: Like go to class.
Justin: You did write ups on, uh, the FLARE On challenges as well, right?
Malware Unicorn: Yeah. I try to do FLARE On every year. It depends on how agreeable my husband is since I spend like a whole month, like all evening working on them. Um, so if I have time, I'll try to like do the whole write-up for the FLARE On or, um, at least some of it. It all depends.
Ben: What is FLARE On?
Justin: It's like these reverse engineering challenges and I've, I've had like four or five different people mention to me, uh, how hard task number 10 on FLARE On 7 was this year. Um, I had never heard of it before. And then I look at it and I'm like, wow, that is way beyond my reverse engineering capabilities. And that is awesome. Uh, Hasherezade did a writeup on the FLARE On 7 task 10 this year.
Ben: Oh yeah. I read that, that, uh, she only got through like half of it or something like that. Right? Yeah. I remember something about that.
Justin: Yeah. That's hard stuff, man.
Malware Unicorn: Yeah. I don't know how folks finish it like within a week, but I just use my evenings maybe one hour or two, an evening to work on it.
And I just want to finish it one year or finish it for that year.
Justin: Just one year. Yeah, that'd be great.
Ben: So, so this is, there are challenges that are so hard that, that people typically don't finish them?
Malware Unicorn: Well, some of them can be time-consuming like, like the last, uh, last three, like 7 through 10. Those can be, some can take like a week long or, or if you're not familiar with that type of malware that they're referencing, um, it can be more tedious.
I mean, I finished a couple, I finished two years worth, um, when I had time, but the later challenges definitely take, at least the last one can take a week. And I think the one that I did get to the last one, it was like a, full-blown like, uh, it was like PlugX or something and had like multiple rounds of encryption and compression that you had to get through.
Um, and you had to like take a DLL and try to, uh, mock the DLL function in order to use the encryption from that DLL that it was using for the plugin. And so you had to do that like for seven rounds. Um, so it's just tedious.
Justin: Okay. Blow our minds with the craziest reverse engineering thing that you've ever done, that you can talk about
Malware Unicorn: Craziest...
Justin: Or the, yeah, I don't know, hardest, craziest like most interesting, whatever will blow our minds. Like what's the craziest reverse engineering thing you've ever done.
Malware Unicorn: I don't think any of them are crazy. I find the more complicated they are, the more interesting it is. Like I've looked at. Uh, I think RATs are interesting because they have a lot of different capabilities. Um, I find PlugX and Poison Ivy and X-Agent really interesting in that, you know, they have a lot of moving pieces, um, a lot of classes, a lot of plugins and everything. Um, and like you could tell multiple people were working on one project, which, which is interesting.
Justin: Would you say, uh, that you found one to be the most interesting out of any that you've done or.
Malware Unicorn: I, I think I like anti analysis techniques. I find those interesting. So I think collecting all of those together, um, is, is more interesting in that respect. I think the more complicated, like financial type malware that have like anti analysis techniques in it, I think those are quite interesting. Um, like evading, uh, the analyst-- not necessarily like automated analysis, like they know that you're, you have a debugger attached and everything. So it's like game on between malware analysts and you.
Ben: Can you give us some fun examples of anti analysis techniques?
Malware Unicorn: Yeah, it's mainly like trying to, I think one of the things is checking if there's a window open, like for certain debugger, or maybe even IDA open, like they'll go through the list of windows and check the string to see if it's open or if they check some obscure file, if that exists on the file system that you've never heard of. Um, they do a lot of that. If you have, if you're like working within VMware, some other things is, like, they try to hide things on the stack, uh, which I find interesting, like just the way that they compile, uh, their objects, like they'll break them out into multiple pieces or, you know, uh, encrypt like a whole function and then they decrypt it and then run it, which is quite annoying. Um, so you have to work a lot in memory and set a lot of like break points in order to pull that out. Um, but I mean, it gives you a lot of ideas that if you just take all of those things and put them into one malware that you wanted to create, um, it would be really fun.
Ben: So, is this how you, uh, is this how you ended up, uh, switching to writing malware more than analyzing it?
Malware Unicorn: Yeah, because I would go look at malware and I'd be like, oh, this is cool. This is really fun. You know, I would do it this way if I could do it, or I would use this feature and this feature and I put them all in one, um, And try to make my own or things that I've seen, that if it gets caught by EDR or something like that, then how would I create it? And so that, um, that kind of like leads me to wanting to write my own malware.
So I wasn't, I wasn't gonna plug this, but, um, I had, uh, Peter Ferrie, uh, do a reverse engineer of, um, a virus written by an Australian virus, virus writer. Uh, it's retaliation.a. Uh, it breaks up into 250 separate, uh, metamorphically encrypted parts. And, um, his write-up on it is 39 pages and we're, it'll be in a journal we're releasing this 20th. Uh, you might be interested in that.
Justin: Yeah, it's, it's um, it's like, wow. And, and also, uh, for AV people to say, yeah, there's no use to try to disinfect this. Like, you're, it's a lost cause kind of thing.
Ben: The title of the zine is, what is it, temp out?
Justin: Tmp.out. Yeah.
Ben: We will be, uh, we'll, we'll call that out on the Twitter. Uh, I've been, I've been, uh, I've been retweeting their, uh, their announcements already, but that's definitely something to look for later this month.
Max: Just curious if there's any, uh, interesting metamorphic techniques that you've seen in the wild or that maybe you've implemented yourself?
Malware Unicorn: Metamorphic techniques... just like completely transforming?
Justin: So we, we have a big debate about this, but, in old school VX in the '90s we would, uh, refer to metamorphic code as a code where, where each iteration of the virus or the malware, uh, the actual code and the bytes changed and the instructions change each time.
Malware Unicorn: Oh, oh, gotcha.
Ben: I think a good way of breaking it down is, polymorphic is something like a crypter where like it's
Justin: Key change.
Ben: Yeah. Polymorphic is like a crypter where it's just a key change where it's technically different every time. A metamorphic is kind of, it's more like a quine. If you remember that from, uh, it's a computer science toy, uh, that doesn't have a lot of practical applications, but a quine is a program that writes itself out.
So, uh, metamorphic is like, um, it doesn't just sort of reencrypt itself. It actually kind of regenerates itself in possibly a different configuration.
Justin: The control flow changes and also junk they'll throw in junk instructions, uh, and, and whole branches of junk, uh, of control flow that is just entire junk and does nothing, and, uh, yeah.
Malware Unicorn: Yeah. Uh, so this is post-compilation, right? Not, not pre-compilation?
Ben: Well, it, that actually is... So one of the, the, there aren't that many, uh, uh, how tos on how to do like metamorphic stuff. Uh, but, but some of them actually have the thing kind of recompile itself, which I think is like more of a nineties leftover, cause this is a giant argument we've been having, but I think this is more of a nineties leftover because I think having to bundle a, a decompiler and a compiler with your malware doesn't work so well in, uh, against modern malware analysis.
Cause your analysts, because you're basically giving them the tools you need to reverse it. Uh, but there are, uh, there are, I think that there's sort of the potential for, especially with like virtual machines. So one thing that kind of comes up, there's a, there's an anti cheat technology for video games, which I also don't know how to pronounce, but I usually call it Themida.
Oh yeah, Themida.
Hey, we say that the same, that's the first one. Um, but they have like three different virtual machines or maybe more at this point. But the last time I looked at it, they had three different virtual machines and they could actually kind of switch between which VM they were using under the hood, um, to try and make it, uh, more difficult to kind of reverse engineer and they could have, you know, theoretically they could have, uh, instructions for one virtual machine generate instructions for the other virtual machine.
Malware Unicorn: Huh. Isn't Themida, Themida's not the one that Spotify uses. Right? I can't remember which.
Ben: Oh, I I've never looked at Spotify, so I don't know.
Malware Unicorn: Yeah. I know Spotify uses one of these sketchy, um, obfuscators. Um, but yeah, I'm familiar with it. Oh. But, uh, one of the things there's, I don't know if you've looked at the, of repo from, uh, for LLVM it's like a, um, it does control flow flattening and all different types of features.
Ben: The LLVM Obfuscator.
Malware Unicorn: Yeah, yeah. Um, so that might be applicable, but I don't know why you would want to compile again after the fact. Um, that just sounds like,
Justin: That's, that's an argument that Ben makes. We, uh, when I talk about metamorphism, it's not compile again after the fact, the instructions are stored in like blobs that are encrypted inside the file. And when it infects a new file and makes the new generation of itself, it takes those blobs and reformats them in all kinds of ways using, uh, real instructions, junk instructions, sometimes adding new control flow branches, uh, but keeping the same behavior of infecting other files. So it doesn't, it doesn't actually have a compiler or decompiler.
Ben: It's more like rearranging modules.
Malware Unicorn: I think that's totally possible if you're using like a higher level language, kinda like Go or, or Python or something. But I think the, I think one of the main problems you would run into is relative addressing, depending on how it's compiled. Cause then if you're changing the instructions, you'll have to change like all of the, uh, immediate offsets. Um, but that's just off the top of my head. Now I want to write this.
Ben: So there was a C virus that did, that did do this, uh, module rearranging thing. I think it was called (phonetic) "hi-bricks"? Uh, so this is going way back. Uh, but it did have, uh, it had separate like kind of plug-ins and every time it reproduced itself, it would just kind of reorder the plugins and reencrypt each of them. Uh, and it didn't always copy each plugin to every other iteration of itself. But I imagine that inside each plugin, it was like one kind of PIC module, you know, so you didn't have to deal with, uh, fixing up the addresses.
Malware Unicorn: I think it's completely possible if you have like that type of plug-in style RAT, where you have that like post compiler, that will go and change like the next iteration.
Ben: So what is your, what does your dream malware look like?
Malware Unicorn: Uh, well, I'm sort of. We're sort of working on one right now, um, in Golang, I don't know why we chose that language.
Justin: You just made Awgh so happy.
Ben: We did a whole episode on, uh, on current happenings in Golang malware. And that's actually like the big, that's the big, like our, our crew here is kind of like Golang malware components, uh, mostly. That's like most of the stuff we do.
Malware Unicorn: Cool. Yeah. I've, we've got a way where we can like, uh, load. (Infant cries.) Okay. That's okay. We can load Golang objects into memory and then run them as plugins. (cries) Um, okay. Okay.
Justin: I have a,
Malware Unicorn: Yeah, go ahead.
Justin: I have, I have a theory, a theory about, uh, Golang malware. When we were working on Backdoor Factory, uh, rewrite, we could not, uh, a PT note infection would not work on Golang binaries because the build ID is required to be in the PT_NOTE segment.
But, uh, talking to several people, we don't think that it actually checks to see if it's a PT_NOTE segment. We think it's looking at the sections and the sections are pointing to a note. And if you changed it to a PT load segment, you could leave the go build ID and just put the entry point right after the ID and put your code there and do a PT load. And inject, infection on the Golang binary. And so that's one of the next things we're going to try.
Ben: It's probably worth, it's probably worth pointing out that that is something that Go only does for ELF binaries on Linux. It doesn't, it doesn't, it doesn't put the build ID in a special segment for Windows at all. Uh, which is just, it's this weird thing where like the Go runtime on Linux.
Ben: Yeah. The Go run time on Linux, uh, actually reads from this, reads from a note segment. And it has to find certain fields there or it crashes. But.
Justin: I have to bring this up. Have any of you looked at the new binaries on Ubuntu 20.04 LTS?
They have, 95% of them have been compiled with a new flag, dash FCF uh, secure?
Justin: Protection. And they have two PT_NOTE segments, but it's, that doesn't really matter. That second note segment is just telling you that it has those, uh, those Intel CET instructions in it. Right? So like tons of old elf malware no longer works on Ubuntu 20.04. Uh, that's going to be interesting to see, uh, how people work around that because it's got the, those branch control, uh, they're like special, no ops. Right? And so if it doesn't have that, that no op when it returns from a call, it like segfaults.
Ben: We're going to have to get into like, uh, fixing up injection in Backdoor Factory and stuff to like, deal with that for sure. But, so like what, what platforms are you predominantly targeting? Like Windows, OS X?
Malware Unicorn: Uh, mainly Linux and OS X for now. Um, mainly because, you know, we've got a lot to work with. I feel like, you know, with windows ATP, um, it's really hard to, (Infant cries) okay. Okay. Okay. Hold on. Sorry about that.
Ben: No worries.
Malware Unicorn: You know, with Windows ATP, it's really hard to get around like that initial execution.
So when it comes to post exploitation stuff, it's not really that fun anymore. Um, but for Mac, uh, finding out ways to get around, like the EDR that they have now since like EDR is super basic on Mac.
Ben: And Linux.
Malware Unicorn: And Linux. Yeah. And Linux for that reason. Um, you know, doing things sketchy in memory and, um, trying to, uh, load things differently than Windows, like how you would do it in Windows is like super interesting. But you know, it's a learning curve, like, especially from someone who grew up with Windows and Windows malware, you're like trying to apply similar concepts in Mac and Linux.
Ben: I'm actually not as scared of windows ATP, uh, uh, the, these days as I, as I was at one point, um, mostly because, uh, like Hell's ,Gate and there's some other techniques that are kind of becoming well-known, uh, for working around like the common things that, uh, that windows EDRs do.
So that arms race is definitely still going. Uh, but there definitely is this increasing body of things you have to know about how all the different EDRs, uh, measure threatening-ness. Um, you know, but my rule of thumb is like, there's like some really cool automated tools now that you can put your malware in and it will, um, kind of inject bites into different parts of it. And it can figure out automatically, uh, where exactly EDR is triggering. So like, malware analysts use a lot more automation, uh, but there's also automation for malware developers that, that helps you figure out, like, what is, um, what is setting off the EDR?
Malware Unicorn: Ah, yeah, I think I, I kinda remember there's like, there's a term for this that we used in like, uh, malware rule writing. Um, it's, I think it's called splitting? It's either splitting or scraping, it's basically like you're taking, taking the binary and like, oh, splicing or slicing. Yes. We just keep slicing it until you figure out what actually triggers the rule.
Ben: Yes. That's exactly what it does.
Malware Unicorn: Yeah.
Ben: Um, so the, uh, and then the other thing I've noticed, and then, so hooking DLLs is a thing they do, and there's a way to get around that. And that's kind of where Hell's Gate comes in. You can make direct system calls and bypass NTDLL, and that's a whole thing. Um, and we have a, we have a repo for that also, which is BananaPhone, which adds this capability to, to Golang transparently. But on OS X, the thing everyone's always worried about, cause like OSX makes a big show of, uh, you know, it's got that flag where like things have to be properly signed and like, oh, you can't run this binary, it's not signed by a developer that paid $300 a year to our developer program. So it's like, so go to the security tab and click, like, I'm a bad boy or whatever, and then we'll let you run it. Right. But then one of the things, one of the things that I learned, uh, from the references of your OS X training, uh, like reading through some of the things you link to, was that, uh, that, that thing is called Gatekeeper and apparently Gatekeeper is not as scary as, uh, Apple would have you believe.
Malware Unicorn: Nope. You can probably try to find the, uh, I think, I don't know... I know they are using some type of rule writing. Um, I know there's like Yara rules that exist there too, but there's a ways where you can go and find how they're, um, like looking for things. Like that whole, uh, TextEdit thing where you create something with TextEdit, and then you change the contents of the file, like either the header or something.
And if it's like Mach-O they may or may not like leave the quarantine on it. Uh, so those, those little things you can test out.
Ben: So how does it, so I'm not quite as familiar with, this is kind of like the next thing I'm going to get into is like messing with Gatekeeper. Um, so I'm wondering if you could sort of break down how gatekeeper works a little bit.
Malware Unicorn: Yeah. And I wish I had more time to reverse it or, uh, look at it, but essentially that's the thing that checks, it definitely checks for the quarantine bits on your file. Um, it checks the header and some like basic, um, binary properties it's using to determine whether or not, um, it's executable. Uh, it's changed a lot since I've looked at it.
I think the last time I looked at it was. Well, uh, 1.14 and I think we're at 1.15 now. Um, and I don't know what it, what it's like for Big Sur. I know it's changed a little bit since then. Um, but, uh, I'd know it's using some type of rules. I just haven't had a chance to look at it.
Ben: So one of the methods, like the reason you'd want to do dynamic library injection in the first place is because that, but, uh, as I recall that bypass es gatekeeper to some extent, because it's something like it checks the signature on the original binary, but it doesn't, uh, do similar signature checks, at least under some circumstances on libraries that are dynamically loaded.
Malware Unicorn: Um, I think in my tutorial, I think I mentioned that you can change one of the, the bits in the header for the signature section. I think that is that what you're talking about. Yeah. So if you remove like, like say it's a, it's basically a list of the header properties and one of the last properties is the signature section.
And if you change the length of the list and you decrement it by one, it's not going to check the signature, the signature checks section. And this only works. If you have a, um, uh, like say you have an app and that app has a resource section where it pulls in other, uh dylibs or other binaries, and you change the signature on there, and then it will run like, no matter what.
Uh, and it'll just say, oh, well, signature, there's no signature on this binary. Of course the quarantine bit is off because it's in a, um, file that's like in a nested, in an app and it will run it, which is nice. Um, so you can pretty much just go through all the resources and look for a target and remove the signature, uh, section on it. And you're good to go.
Ben: Uh, this might be a stupid question. Uh, is there something analogous to like DLL hijacking for OS X where you could do that kind of thing?
Malware Unicorn: Um, I think, yeah, I think so. Uh, I don't know if there, there shouldn't, I mean, it does do like a basic signature check and I think it just like tries to loop through that list.
You'll have to read the, um, uh, what is it, the LD preload functions that are open-sourced, um, that's how I kind of figured that out. Um, so it it's, I don't know if it's changed. I doubt it is, but, um, I, I think it's really basic that it has to rely on the, the, the amount that's in the list in order to reverse it.
Ben: So going back to, uh, Golang malware for a bit, um, are you, are you using totally in-house stuff, uh, that you're writing yourself or have you, have you found any, uh, fun Golang malware libraries, uh, you can share?
Malware Unicorn: I can share them either in like the Red Team Cabal or like offline somewhere. Um, cause if I say something now then the blue team's going to see it and they'll...
Malware Unicorn: So that's why I don't tweet stuff anymore because they are all following me.
Ben: Uh, yeah, they can wait and, uh, and see it. Do you do a CCDC or anything like that?
Malware Unicorn: Nope.
Ben: So I usually, uh, I usually wait until after CCDC nationals, uh, before talking about like this year's projects.
Justin: People get so busy that it's, you can't even talk to them and all that when it's going on.
Ben: Yeah. But, uh, well, cause, um, I'm usually sort of writing stuff with the intention that people will use it, uh, for the red team for CCDC. Uh, and then I have noticed that even, even when I do start talking about it or do write-ups or whatever, after, um, the same tricks still usually work a year later too. So there's a bit of a blue team lag.
Malware Unicorn: Yeah, I think, I think once, uh, if, if they finally find the malware, then maybe I can like publish a little bit more, but, um, since we're still writing it, I don't really want to talk too much about it. I can talk about concepts but not full code.
Ben: Absolutely, I'd be, I'd be super interested in hearing.
Justin: I've got a question about, uh, about your site. Um, what are your plans for your, your next tutorial or next two tutorials?
Malware Unicorn: Well, I have one there that says coming soon, it's like the anti analysis techniques. So I've compiled a list of a lot, like 40 plus different types of anti analysis techniques that, um, that I plan on making like a POC for each one and then explaining how to get around it.
Um, so I've probably completed about 10% so far, mainly, you know, like having a baby kind of like prolongs, getting stuff done. I'm hoping that maybe this year I can finish it. Um, but I'm writing like each one in assembly so that, um, I can like teach you how to, how to get around it. I can go over, let me open up the doc so I can like tell what types of techniques there are. Hold on.
Justin: That's going to be so cool.
Ben: Yeah. That sounds amazing.
Justin: That's going to be so fun and, uh, and I guarantee you that, uh, in our, uh, in our, find some of those and take them and run with them.
Malware Unicorn: But as I'm finding it, you can keep talking.
Justin: So, so, okay. Let me ask you this, uh, after you finish this, even if it takes a year or something, do you have a, uh, a vision for what you would like to, um, write about next or teach next, um, break down, uh, complex ideas and the way that you do... you've got reverse engineering 101, 102. Uh, do you have a, um, like something in your head, like a dream about what you want to do after you finish the anti analysis techniques?
Malware Unicorn: Um, it would probably be more macOS stuff. Uh, it's basically a lot of it is related to about stuff that I do at work. So if I'm like learning something myself, then yeah. Maybe I'll want to convert that into something that I could teach.
Justin: We fully support, more macOS stuff.
Malware Unicorn: Okay, cool. Okay. So some of the, um, I actually, I can just paste this in the chat here. How about that? And you can see all the ones that I have ready. I have like 45 that I have planned.
Ben: Holy smokes.
Ben: So I see... wow. Stacks, strings, encrypted strings.
Malware Unicorn: Like basic stuff first. Yeah. And then, and like, you know, recognizing them how to get around them, that kind of.
Ben: Let me scroll to the bottom, API hooking, bypass, IAT hooking, rebuilding IAT with PEB. Yeah. I just did that, uh, for the universal loader too-- that is a brutal pain in the butt.
Malware Unicorn: Yeah. It's very Windows heavy, but some of these can be, you know, converted into other OSes. So it's
Ben: Holy smokes. Wow. I'm really looking forward to this. Uh, I mean, and no pressure take your time. Wow.
Malware Unicorn: Yeah. So I do, I try to do one topic like every week or so, or, you know, it just depends on how much time I have. I have, I like to do art as well. So it kind of like, they kind of vie for my free time.
Justin: I feel that, you know, like I have to play the banjo at least like a few hours a week. And if I can't like I get frustrated.
Ben: So what kind of art projects are you working on?
Malware Unicorn: Uh, just, just drawing. I can share my Instagram so you can see some of my, uh, drawings, hold on.
Ben: We'll put a link to that in the program notes.
Malware Unicorn: Okay. Uh, but I, I like to draw things from games, like games I've been playing or shows I've been watching. Um, like I did one where, uh, it was the God of War. Let me see.
Justin: Were you one of those, um, natural talent, uh, uh, artists, um, or, or was it something that you wanted to do and you really had to work hard and learn at it?
Malware Unicorn: Uh, I think it was a natural talent cause I've been drawing ever since I was, I don't know, uh, school age, so, uh, like, uh, elementary school. There were times where my parents had to pull me or the teacher had to pull my parents aside and be like, what's wrong with your child? Like she's drawing dinosaurs, killing and and gouging out each other, you know, as if,
Justin: Yeah that's natural talent.
Max: Um, I don't see why teachers do that, that's what dinosaurs are supposed to do.
Ben: That's what the dinosaur statutes in the museum are doing.
Dan: My drawing's not weird, Barney is weird. This is natural.
Ben: Barney is super weird. Like, uh, that is not how dinosaurs act.
All right. Well, um, I think with that, we're going to take a quick break and, we'll be back with, uh, Amanda Rousseau or Malware Unicorn, uh, after these short messages.
Ben: Hey, this is Ben from the Hack the Planet podcast. Uh, you may have noticed that we didn't put out quite as many episodes this last year. Part of that was me getting ready for a talk I gave at DEF CON called Golang Malware Bonanza which you can check out on YouTube. And then part of that was... we all thought the pandemic was over for a minute and, uh, started to have a big party. And then, uh, the rest of it was basically realizing the pandemic was not over and being sort of bummed out about it. Although then there was the untold story of our, um, attempt at an episode which never saw the light of day, which we might tell at some point. But in the intervening time period, uh, between recording this interview and releasing this interview, the kid in the background, uh, has learned to walk and also wield objects. So that puts, uh, things in some amount of perspective.
So we do have some things to plug. We have a new favorite Makerspace which is hosting our free workshop events in the Seattle area. It's seattleMakers.org. It's a great makerspace, which has recently moved to a new location near Gasworks Park in Northlake, and they're really doing some awesome stuff building out that space right now. And they're now hosting two of our events. We have a new event, Network hacking 101, which is hosted by Victor Graf, in addition to our hardware hacking workshop, which is hosted by me. You can find both of those events on meetup.com if you search for Symbol Crash. Also, Malware Unicorn has a new training out on PE injection, looking at the CryptoWall malware, and You can check that out at MalwareUnicorn.org.
And with that back to Malware Unicorn.
Ben: And we're back with Amanda Rousseau. Um, so a couple of, couple of questions for the back 40. So one project I know you were involved with, uh, I think, uh, I'm guessing while you were at Endgame, I also don't know how to pronounce this one is (phonetic) "zoree" or "x-or-ee"
Malware Unicorn: (phonetic) "Zoree. " Xori. It sounded cute. So I like the x-or, uh, thing, and I just added I on it to sound cute.
Ben: Well, some people say (phonetic) "x-or" and some people say "zor", so it's uh, but can you tell us a little bit about that?
Malware Unicorn: Yeah. So when I was trying to do some like automated disassembly, I got, I was trying to look for a solution and I didn't want to use IDA um, cause I wanted something like on the command line and then I tried Radare and I wanted to rip my hair out, um, cause it kept crashing,
Ben: I don't know why there's so many R2 fans, either.
Justin: We're posting an exploit for R2 in this next zine.
Ben: Boy, the man like the man page for Radare is like long and confusing. And every single time I've looked at it to use Radare to solve any problem. I've just ended up writing my own code that does it. Uh, so it's like, it's like the man page is like a good explanation of what you should go write as code. Uh, and it's just easier to go write my own code than it is to figure out how to use their thing, to do it.
Malware Unicorn: Assemblers have their strengths and weaknesses. And I think Radareis really good on like obscure architectures. Just not like for everyday, uh, C reversing. This, that's my opinion though. Like, you know, if, if command line reverse engineering is your thing, that's cool. It's not for me.
Justin: I just like it for looking at the static analysis, that's it.
Ben: Well, I, I mainly just look in there because it has like ROP chain solving stuff. Uh, I gather if you figure out how to invoke it correctly, um, I just invariably find it easier to use either different tools, uh, for that, or just to do it manually.
Um, so just back to Xori, uh, so what does Xori do for you?
Malware Unicorn: So I wanted to make it to like, do automated disassembly, um, and try to, you know, have something that I can, run on, like thousands of malware or even like, uh, uh, hundreds of thousands of samples from VirusTotal.
Um, and so that was the whole point of it and I needed something stable and something I could write really quickly. So I was like, Hey, well, I guess I should learn Rust. So I was like, let's make a dissassembler with Rust. So, uh, you know, the best way to learn a new language is write a project in it, right? So, um, I wanted something that I could use, uh, with, with another, um, I guess project that we were working on at the time that was also in Rust. So it was kind of like a way to connect the two. Um, since, since I left it kinda like fizzled out in maintenance since it's like under my previous company's like name, I mean, I forked it, uh, on my own site. Um, but I haven't really messed with it since.
But the idea was to have like some fast way to, um, get, uh, the different types of branches and cause there's different ways how disassemblers go down code? Right? There's um, you keep jumping into, um, the calls. We keep going down the different branches. Versus like a flat, a disassembly where it goes and checks like the next instruction.
And I think IDA is the, the first type where it goes down the different branches and then Radare is like a flat, uh, like we'll just try to disassemble one by one instruction after another. Um, so I kind of had like a hybrid approach between the two, um, because I didn't have too much time to, to make it a lot better and for different architectures. You know, it's, it's stuck with just like Windows based things. Um, but what I did was I, uh, kind of made like the whole, uh, process, um, memory stack there, uh, where you can access like a fake PEB and a fake TEB. Um, so that in case it was doing like the PEB loader, you know, the PEB loader style, where it goes and looks up fs:30 and then tries to traverse lists in order to rebuild the AIT, um, you know, it would be able to do that. Um, and I think I mentioned that in the slides as well, basically, I just like read the code, uh, for the NTDLL loader and try to like mimic it.
Ben: I've done that myself it's or it's, it's gs:60, if it's 64 bit, but yeah, I know exactly what you're talking about.
Malware Unicorn: Yeah. Um, so it does that, and at the time I had an intern and, uh, I had him create the UI for it. Uh, I made him learn, React. And so, uh, that's kind of like what that UI that you see in the repo is. Um, so we kind of worked on that together. Uh, cool story though, because he learned to do that while he was an intern, he made it, he kind of took that and wanted to create a startup with it. So right now he's trying to create a startup that is like, um, multi-user reverse engineering platform where you can like reverse engineer together. Um, with like a nice UI. He's still working on it. So I don't know what state it's in. At least he's got that going.
Ben: That sounds kind of, that sounds kind of familiar. Can you say the name?
Malware Unicorn: Yeah, let me find it.
Ben: Is it crowd something?
Malware Unicorn: No. Um, let's see, he changed the name of it.
Vyrus: Binja has that now, but like a web, a web, and it's free too. It's not, it's not as cool as Xori, but like it's free, you know.
Ben: Are you actually using libcapstone?
Malware Unicorn: No, no. I, so basically I looked at how Capstone was doing it and I made everything completely in Rust. There's no like external libraries.
Ben: Holy smokes.
Justin: That's crazy though. "I looked, I looked at how capstone was doing it and I did it Rust."
Ben: So Capstone, like no one has ported, no one has ported capstone to, uh, Go, uh, which is a pain point for me.
Malware Unicorn: I don't know if I want to do low-level stuff in Go to be honest.
Ben: Well, that's well, we'll get to that in a minute,
Justin: That's what he does, whether or not it's optimal, he still does.
Ben: Yeah. That's, that's what I do. Um, but the, uh, so having like a fully fledged capstone is a totally complete disassembly library that has like every architecture. And like all the instructions for every architecture and all their side-effects and, and like absolutely everything in there. And, um, it, it is, uh, it is an enormous amount of work to port even one architecture, I would say, out of Capstone and into something else. I guess the one advantage to writing something in Rust initially is that no one can come along later and be like, you should rewrite this in Rust. Cause that, that happens to a hundred percent of non-Rust projects at some point. Um, but the, I have not yet gotten into Rust, but I have just legions of people that tell me I should rewrite everything and Rust and anything I do, they're like, why haven't you written this in Rust? Um, but the, uh, is it fast?
Malware Unicorn: Yeah. So if you go look at the, um, the different speeds besides C like RUst comes in second, and then I think it's Golang and then like the other higher-level languages. Um, but one of the things, if you are making with any higher level languages, right, your malware is going to be big. So it's going to be at least like three, four megabytes, at least, which is like all the basic libraries.
So you have to consider that or put like a packer on it or some type of compression. Um, but if you're just doing it for development, yeah. It's super fast and coding in Rust is really fun too, because the compiler is really nice and tells you where you were, where you fucked up.
Ben: Maybe, maybe I'll give it a shot. I've had a couple of people tell me. Uh, what was a good resource to, if you already know some other programming languages and you just want to switch to Rust, is there like a effective Rust document you, you went back to a lot?
Malware Unicorn: Uh, no, I just, you know how they have like that Rust playground. I just sit there and mess with that and then look up the documentation. Um, uh, you know me, I would go just directly to the compiler code and see how everything is, and read the documentation, uh, if I don't know something or, you know, sit there and, uh, compile and, and test out and break something and try it again.
Ben: So the, uh, I think Rust, uh, does Rust produces smaller binaries than Go though? Right?
Malware Unicorn: Slightly smaller. I think the base is like three megabytes and then Go is four or five?
Ben: Go's like 1.2 megs for the runtime. And that's the part you can't, you can't reduce much. There's a couple linker flags you can edit that'll bring it down to like maybe 800k. Um, if you strip out all the symbols and everything.
Malware Unicorn: Yeah. It depends on how, like how big the project is too. Right. Like if you're loading in a lot of other libraries, like external libraries and then it becomes kind of big.
Malware Unicorn: I think that's one of the things I don't like about Go is that, you know, you have to import a whole URL in order to get what you want, rather than just like having something local.
Ben: Well, it does, it does when you pull in libraries in Go, it does statically compile it. So it only actually includes the code that you're using, uh, with the exception of, uh, like some stuff for reflection, which you can strip out and the flat overhead of the runtime.
Vyrus: And the DWARF signatures.
Ben: Uh, you can strip out the DWARF signatures.
Vyrus: Um, but it includes them by default.
Ben: The LD flags, uh, "-s -w" I think strip out all that stuff. And then, um, but the thing that you can't reduce is the overhead of the runtime itself, and they don't apply that static, uh, compilation logic to the runtime. And that's the kind of the annoying thing. Um, so we're like we're using a bunch of pseudonyms on Go mailing lists to try and lobby for that to change. So they won't figure out, uh, who's asking for that to change. So they won't figure out, uh, who's asking into that, so far, but, um,
Max: Some things you can also do with Rust is, uh, use musl to get fully statically linked binaries without like external libc dependencies. I'm not sure if you can do that, with how easy it is to do that with Go.
Ben: Go only does that.
Malware Unicorn: Yeah you can do that with Go.
Max: Okay, cool.
Ben: Go go is always statically,
Max: Oh that's right.
Ben: You have to go way out of your way to, to include anything. Uh, but by default go is just one giant statically compiled binary.
Vyrus: Yeah. It actually used to be way worse because the linker until actually relatively recently, it didn't just include, uh, the code you were using. It would just include the whole package. Like that used to be a tactic, like I used to go after, um, like, like he would find a piece of good malware that had like a go lib, that it was like obfuscated enough that like, it was kind of hard to nail down. So then you go find a bad one, but it has like the same library. And even if they don't use any of the functions, like they're all in there.
Ben: So I, I'm going to ask you a question, but I don't want to put you on the spot. Uh, so when I did my like thesis project in, uh, in college, uh, you know, one of the professors I was presenting to at the end was. You know, how did you evaluate your project? And I hadn't really done a lot of evaluation on it. Uh, so I just said like, well, I like it and everyone laughed. And then they let me, uh, they let me, they let that kind of slide, but I'm wondering, if you, did you run this on like large batches of stuff from VirusTotal and, and what kind of performance did you see?
Malware Unicorn: Uh, yeah, uh, it was mainly, I think I ran it on like a hundred samples for, um, did I lose it? Okay. It's still there. I think I ran it like a hundred samples to see how it did, um, how fast it was, because I was, we were trying to build like a backend, um, VM, automated VM service, and I wanted to have like the automated disassembly ready... when after was, like, evaluated dynamically.
So it was like static versus dynamic. Um, and it, it did all right. The main thing with all types of binaries is trying to disassemble without a human there. Right. So sometimes, um, there are, uh, ways in which you're trying to traverse down a sample and then say there's like some anti analysis or, or packing going on that you just didn't, uh, encounter. So a lot of these edge cases I found were so much that I would have to probably be developing full-time in order to, um, like, cover all of those bases. So it was basic enough, so I can get my job done and look at samples really quickly while I was helping develop this automated VM system. So it was more like of a tool that eventually wanted to be turned into like a product.
But, um, since I left, it, of course, it never got in to a product. Um, so it's mainly like a quick disassembly tool.
Ben: So, uh, I want to ask, uh, so the number one question that people ask me online is of course, how do I hack? Uh, but the, the number two question, the number two question that people actually ask me is like, I want to set up some kind of VM based thing for, you know, sandboxing malware or, uh, running malware.
Um, and, uh, there is of course, like AnyRun, which is cloud hosted. Um, and, I know some people like that if they don't want to get too into it. Um, but there seems to be a lot of, kind of, uh, components for a system like this on Github, but it seems like a lot of people are still kind of rolling their own. And I guess I'm wondering, it's like if I was interested in setting up, uh, some kind of like VM malware sandbox thing, what would you recommend going with in this day and age?
Malware Unicorn: So are you saying like start, like a noob perspective? Or like someone who really wants to get serious, make a really good environment.
Ben: Uh, well, I'd take both answers.
Malware Unicorn: Okay. So from a noob perspective, you know, I would just use any type of online service, like hybrid analysis or something. Um, as far as like online services go, I think Joe Sandbox is probably the best in my opinion, that I've, I've looked at, even though it's not free, they have some really detailed reports. It's really nice. Um, and they also do different architectures. Um, yeah. Joe, Joe Sandbox?
Malware Unicorn: Yep. If you're trying to do something from scratch though, Cuckoo is still the best if you want to set up like a basic, you know, Windows box. Um, another thing if you want to do the hardcore way is you would use, then you use Xen as a hypervisor, and then you, you make your custom VM, um, through that and then use the instrumentation with Xen to control the inner workings.
And, and can you control, um, the, the memory and then, and API calls from, from outside of the VM, that way, that way, you know, you have like this complete separation where the malware doesn't know that it's, uh, in a VM and in this case it would be like the hypervisor running everything. So you wouldn't have the same artifacts that a VM would have.
Ben: Like the Cirrus video driver or whatever.
Malware Unicorn: Yeah. Yeah.
Vyrus: Well, that's how, like, that's how like DEF CON CTF has worked for a number of years. They just use BSD with the syscall emulation layer. And it's, it's basically the same thing.
Ben: Are there like Xen sandbox management, uh, packages out there, or is this something people are mostly rolling themselves?
Malware Unicorn: Uh, I think it's definitely something people are rolling themselves. A lot of people are starting to adopt the Xen hypervisor. I know AWS used to be, uh, is like a Xen fork. Um, I think Qubes is also on Xen which, you know, I use as my, one of my work computer operating systems. But it's, it's just a different, it's, it's more interesting to work with the hypervisor than it is like VMware or VirtualBox or QEMU.
Justin: And hopefully someone like yourself who has a little bit more time will come along and write a beautiful, easy to understand a tutorial that, that I can understand.
Malware Unicorn: On hypervisors?
Ben: Xen and the art of Malware Analysis, spelled with an X.
Vyrus: I have a super non-sequitur like just Mac question. I just kind of want to throw out there. So like, do you have a preferred tactic for visualizing the horrible Cocoa dispatcher when REing stuff? Cause like that is like, I constantly have this problem where, like, pick a disassembler and I load and OS X thing and I'm like, oh, it's using Cocoa stuff. It's not just using regular stuff. Cause I can see all the like dispatch code, you know, with like the string that goes into the thing with all the arguments and like you can't trace all the buffers and stuff and I'm like, I don't always want to load it up in a debugger and like actually trace every buffer cause that's a ton of work. And so like every, every, every pro I've seen has like their script for the debugger or for their, the disassembler that they like that basically changes the IL to like make sense.
Ben: Debugging on OS X is a ridiculous pain in the butt to begin with.
Malware Unicorn: Really?
Malware Unicorn: You know, throwing it in LLDB, is, it's really not that bad.
Vyrus: Well, now, now LLDB has the GDB server like baked into it on like Big Sur. Right? You can just like enable, like, GDB server and then attach to it, which is a lot nicer than it used to be since they don't let you use any other debugger because they have only half deprecated IPC at this point.
Malware Unicorn: Have you tried like, uh, IDA and then you could connect to the, uh, debugger?
Vyrus: Oh, yeah, no, I mean, I've gotten, I've gotten debugging to work on OS X. I've gotten it to work with Cutter and I've gotten to work with, uh, Binary Ninja plugin, and then I've got it to work with IDA, but like, if I don't wanna debug it, I just want to look at it like to do the very beginnings of static. Like, I'm...
Malware Unicorn: I just throw it an IDA and then I, I feel pain every single time I look at it, but it's, I don't really have too many tools. I'm like one of those people that just use one or two tools to do stuff.
Vyrus: I just didn't know if you had like your own Cocoa, like un-dispatcher script...thing.
Malware Unicorn: No, I know there's another dissassembler called Hopper that's really good with Cocoa, but the interface is not that great.
Vyrus: The interface is not that great and it didn't have debugging support until recently. But it was, it was like for a long time until like Ghidra came out and then every other debugger stole its decompiler to have its IL, which is badass, like I'm not complaining, but like, until that happened, the only way that you could look at, like, OS X Disassembly and have it not just be ridiculously horrible was to use Hopper. Cause they, they kind of did it before Ghidra was public where like there was some kind of abstraction kind of IL, like if you didn't want to pay for Hex Rays like that's what you did. Um, and now that like Cutter and everything else like that and Cutter 2.0, because it's forked from the Radare2. Cutter, which is all, you know, now that they all just use a binary version of Ghidra's decompiler and then use that as its abstraction language, like that's super nice. That's basically what I use for everything. Um, but the one thing that's still a pain in the ass is the Cocoa dispatcher. Right. It's like, I don't want it, cause you just get, you just get hex addresses. Right. You don't actually get the strings, even though it like technically knows where the strings are.
Malware Unicorn: Yeah.
Ben: Speaking of, uh, sources of pain and, uh, OS X reversing, have you, uh, have you looked at, uh, the M1 mac? Uh, the Mac is on a different architecture, or chassis, as we'll say, um, and it involves an entirely different assembly language. So it's like ARM64 instead of AMD64, which is doubly confusing.
Because if you look at those really quick, they don't look visually different. It's like "A" letter letter six four, or "A" letter letter six four, but, um,
Max: And ARM64 is just such an unusual platform on its own too.
Ben: ARM64 is weird. The assembly is weird.
Vyrus: Super weird.
Ben: But have you, have you like played with any, anything on the M1 yet?
Malware Unicorn: No, no. You know, my husband got the M1 also, and he won't let me play with it. So I'm waiting for my work to give me one.
Ben: Seems like a reasonable decision.
Vyrus: That's how it works, right? Like you get, like, they get a thing and they see you looking at it and they're like, no, this one is not for hacking. Go away.
Malware Unicorn: It's bad when your own husband has to like, segment you off the network because you play with malware.
Ben: I got an M1, uh, just to make, uh, your, uh, loader method work on it just to make sure it still worked.
Malware Unicorn: Oh cool. Did it work?
Ben: Yeah, it did work. It totally works. Um, uh, on the M1, I did have to write, um, some Go assembly targeting ARM64, to make some of the, uh, the innards work. I did put a blog post up about that, uh, relatively recently. But, uh, yeah, Go assembly is a whole other weird pocket universe, uh, they have their own assembler just for Go, which is based on the Plan 9 assembler. And it's a nightmare. Um, and it's also different for every, uh, platform. Uh, so there's, I don't know why they made their own assembly.
Vyrus: Because runtime uses the Plan 9 calling convention, no matter what operating system you're on. And then it does the switch, every time it calls a system function. Cause it doesn't use that calling convention.
Ben: Yeah. I mean, I have some theories, but I don't, I don't really know.
Vyrus: Do these theories all start with the words "Rob" and "Pike"?
Ben: We're trying not to, we're not, we will not speak his name... but yes.
Um, okay. One more question. And I kind of hate to ask, but I would, I would like to kind of get your opinion on this. Um, so you're on Twitter. You must have seen at some point the offensive security tools debate.
Malware Unicorn: Oh, about releasing them?
Malware Unicorn: Yeah.
Ben: We don't need to dwell on the, uh, we've already gone on several rants about it. Um, but the, uh, I think your perspective is like, uh, someone who looks at social media and used to do malware analysis for, um, you know, like, uh, FireEye and other places, uh, and then switched to writing malware for red team purposes. Um, I I'd be, I'd be interested in your take on the, uh, the OST debate.
Malware Unicorn: You know, it's kind of... I think it's bullshit that people say, oh, you know, people shouldn't release tools, but you know, these malware analysts will write a whole like detailed report on malware and expect that people are not going to copy the techniques that they talk about. So if you're releasing tools and it's like a security researcher releasing tools, of course, they're not gonna, hopefully, they're not going to like give you the full, like, nice everything is done for you type of tool. They're going to leave some stuff out, of course. Then, you know, it's, it's for learning purposes and if you're, you know, staying up to date with tools and, and malware, you should be, you know, collecting all of those and testing your environment with them. So, uh, I think it's... I don't see where the complaints are.
Like, even with the whole, that one guy from, um, uh, what's his name, he released like a ransomware sample code and he got some flack for it and he did it so that people can learn how to, how ransomware works. And he got so much flack for it. You know, it's stuff like that, that, you know, these skiddies will take some of that code and try to make their own and then break it. You know, it's, it's all about lowering that bar.
Ben: Is that a Letterkenny reference?
Malware Unicorn: What?
(phonetic) "skitties", "spare parts bud."
Max: No, script kiddies.
Malware Unicorn: Script kiddies, sorry.
Ben: Oh okay.
Malware Unicorn: I'm using slang terms.
Ben: I thought it was like this, like the skids who they say in Letterkenny.
Malware Unicorn: No I say skiddies.
Ben: I like it.
Vyrus: Skids is my thing. That's what I call them. Skids.
Justin: Do I get to do the obligatory? Uh, we had this argument in the nineties with AnonSec and we already decided way back then.
Ben: Well, I just, I just think it's easier to complain about something on Twitter, then do your job. But
Ben: Yeah, I don't even, I don't even get on Twitter. Uh, but
Was that: fight me blue team?
Vyrus: I, I do, I do definitely identify with that response, which is interesting because I went from someone who used to make malware or red teamy stuff, who's now a blue teamer. Like I'm an honest to God threat hunter. And like, when I was a red teamer, it was like, oh, this is a stupid argument. And now that I'm a blue teamer, I'm like, God, you, people are stupid. Like if the red teamer and the blue teamer get the same tool at the same time, and it takes you longer to write a detection than it does for them to weaponize it, you suck at your job. Like, that's all I got for you.
Dan: For real. Right. That was, that was kind of, that's always been my angle. The whole argument is like, shouldn't you be thanking us? Like, isn't, isn't there a need to say thank you for giving somebody the tool to be lazy enough to just standardize onto a, like a, you know, one homogenous source of signal. Like, why, why are you getting mad at making the problem space easier?
Malware Unicorn: The folks that make exploits, right? They make, they release the POCs. How come they don't get flack for releasing a POC?
Ben: Oh, they do.
Malware Unicorn: Well, it's not so much of a heated debate as it is with tools. At least that's what I see.
Ben: Well, if you never read Twitter, you never get any flack. That's my solution. Yeah. But what actually, so what Dan just said, uh, there is, there is something I did notice with, um, with the SolarWinds thing. There's a kind of over-fitting that happens in the write-up sometimes. So like FireEye, for example, wrote up like the definitive, you know, document, like: we reversed it, these were the indicators of compromise, and all this stuff. Uh, and they said up upfront that like we saw, um, you know, the, the attackers were spinning up different cloud infrastructure in the, like, for each target potentially.
Um, cause they were just spinning up cloud nodes to be the C2. And then, and they said that up front, and then at the end they said, you know, here's the list of indicators of compromise, uh, that we pulled out by looking at, you know, like, us being targeted. And if you read it carefully, you would have figured out that almost all of those indicators of compromise, at least the network ones, would probably not apply to you.
But most blue teams got that document. Didn't read any of the text in the first few pages and just went to the end to indicators of compromise and they entered that into their, uh, IDS or whatever. And then they called it good.
Dan: TL;DR thanks for the sigs.
Vyrus: And that's also a good, that's a really good example because the other thing there is that, like, I feel like, like, so FireEye came out with their writeup first because, you know, if one believes the narrative that the internet told you, like, they're the ones that found it, right? They, they like found it and they were like, "Hey, we think we got kind of popped by this thing. We dug into it. Oh, it came from our vendor. Oh, that's a big vendor." And like, that was the chain of custody. Right? And so the reason that's important is because they profiled the sample of the, of the implant that got used on them before they got to like the details of the attack and then the details of the attack.
And some of those IOCs are actually pretty damn fuzzy. Right? And all the write ups that have happened since have all been about the different implants that the same attack was used to drop. So actually if you're doing blue team, it's like, all this is great. Like, I mean, you know, thanks for, thanks for publishing what you have, but it's all basically fucking useless because they were a decent enough attacker that like, clearly the people that actually did the thing, like sold access to other folks and other folks launched like their ninja payloads or whatever.
And while telemetry on the ninja payloads is great, like if you're a blue teamer that ain't the bug, right? That's just generalized threat intel, you know, that's not what you write detections for. You write detections for the actual methods of like, if my, if my agent ever drops something, right? Like, and nobody's, nobody's writing-- well, I shouldn't say nobody, but like, you know, those people that are writing those detections, they're not the people bitching on Twitter.
Ben: All right. Final thoughts anyone? Dan?
Dan: Always getting called out. No, I'm good. This is great.
Ben: Awesome. Well, uh, yes. Thank you. Thank you so much for, uh, uh, well, first of all, for just making these amazing trainings, uh, I, uh, I hope you get back to it. I look forward to the anti analysis one, especially, but I'm sure anything you come up with in the future it'd be great. Um, let's see, like, uh, maybe in, uh, uh, what two or three years, you might have some like, how to hack training for four year olds?
Malware Unicorn: Maybe, yeah.
Ben: That'd be super cool.
Vyrus: My secret agenda would be to, just, thanks for answering all my pestering, DM questions/
Malware Unicorn: No worries.
Vyrus: About OS X stuff. And, uh, and I guess, like, there's a, there's an odd cadre of, I mean, I don't know what else to call them, like DEF CON parents. So I guess like welcome to that club? Because that's a thing. You know.
Ben: We don't want to put any pressure on the kid, you know, if they want to be an artist or whatever, it's perfectly fine. Uh, I mean, there is like that. I am kind of curious what a, what a third generation InfoSec person would be like.
Dan: Just say no to NFTs.
Vyrus: I mean, at least your kid still has a choice. There's literally already a picture of my kid standing next to Nikita's kid at DEF CON in 2019. So like he's already screwed.
Malware Unicorn: Yeah. Yeah. Well, we'll see if she'll be able to go, uh, you know, being a pandemic baby. It'll, it'll be interesting to see how she grows up.
Justin: Hey, thanks for coming on our show. Really enjoy your stuff. And also, um, really enjoyed hearing about your thought process, um, how you go about things. That was very interesting to me and I think everyone else as well.
Malware Unicorn: It was fun. I got to nerd out a little bit.
Ben: Alright, well, we'll leave it there. Um, until next time, I guess, uh,
More than ever,
Hacking is not just a crime,
It's a survival trait!