Chapter 10: Conclusions

In this thesis, we introduced malware, with its categories and components, and the scenarios in which it can be employed, such as penetration tests, red teaming, and phishing campaigns. We then focused on describing how we approached the development of malware and, in particular, how we overcame the problem of detection by antiviruses. All the knowledge we acquired was used for the creation of a framework that is automatically capable of composing malware according to appropriately provided specifications. The results obtained from the execution of our malware on two trial virtual machines are shown in the final part of the paper, along with the most common post-exploitation techniques.

What has been seen in this paper debunks some common myths regarding the impenetrability of systems protected by antivirus and, therefore, their effectiveness. We have seen, in fact, that, although machines may be updated, there is always the possibility of being able to create something (malware) capable of bypassing defenses and, as seen in Chapter 9, causing considerable damage. One might wonder if definitive solutions exist, and if so, what they are, to feel truly protected. Probably an exact answer to this question does not exist; however, a wide range of software, called EDR (Endpoint Detection Response), is available on the market, capable of going beyond the simple functionalities of an antivirus, providing protection also from the infamous “zero-days.” These tools monitor the behavior of a program from the beginning of its activity, and as soon as it deviates from a predefined behavioral model, they are able to block its execution and take appropriate countermeasures. This type of detection, which we can associate with dynamic analysis, allows us to understand the nature of software at the very moment they commit their “crime.” Such technologies can increase our degree of security and overcome the problems of more common antiviruses, which are relegated, more than anything else, to domestic use.

On the other hand, however, our malware can also improve evasion techniques to make the life of AV software more difficult. Among the possible improvements we can list:

• The randomization of all encryption keys used by the implant. Currently, in fact, only the XOR key, with which the payload is encrypted, is generated at runtime by the framework and, therefore, is different each time; the other keys, including the one for encrypting function names, are, instead, statically coded within the implant; this generates a sort of unique signature for the malware that can compromise its effectiveness.
• The integration of Meterpreter functionalities within the implant itself. This would allow, sacrificing in part the modularity of the code and its maintainability, to make the malware completely independent from the Metasploit framework and, at the same time, to make the code more anonymous to the sight of detection software, increasing its chances of success.