Hello, welcome to the Friday, May 28, 2021 edition of the Sandcent, Center at Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida, but virtually

teaching in London, England. In Diaries today, we got an interesting experiment by Jan. He

looked at the effectiveness in using

different encodings in order to evade antivirus. And what he focused on was base encodings.

Now, you're probably all familiar with base 64, but there are a number of different base encodings,

like, for example, base 32.

What they all have in common is that they essentially map all byte values from 0 to 255

into a more limited character set, like 64 characters for base 64.

As a sample, Jan took a meta-sploid payload, which of course should be well-detected,

and it was well-detected if not obfuscated, and he then compiled it for 32 and for 64 bits.

A couple interesting results here. First of all, yes, and that's very not surprising that base 64 encoded binaries are not well

detected, but it didn't really make a difference as to what base encoding was used.

What probably was more surprising than base 64 encoding not being detected well was that 64-bit binaries

were detected much less than 32-bit binaries, regardless the encoding.

With 64-bit CPUs and operating systems now pretty much being the default all over, A lot of malware, of course, is also

compiled for 64-bit, and you would expect anti-malware tools to do a bit better than what

they are doing here, according to Jan's experiment. Never mind, of course, that this is only going

to become worse as we do have sort of a diversification of architectures with Arm, of course, also becoming more and more popular in particular on the mobile side.

And then we got an interesting proof of concept exploit for all current versions of MacOS and iOS, and that includes

14.6 for iOS, as well as MacOS 11.4. The problem here is a vulnerability in WebKit. Of course,

WebKit is the basic foundation of Safari,

...