In this article you will learn various methods of Antivirus evasion and tips and tricks to counterattack them. To do so, this article contains a section on how Antiviruses work, an analysis of various evasion methods (packers, binders, etc.), countermeasures and ways to protect yourself.
The antivirus (AV):
An antivirus is a piece of software that sets out to detect, remove and prevent viruses, trojans and worms (the three kinds of malware). With an AV there are many trade-offs in the methods employed to actually detecting malware, especially since new malware is always becoming available. The one thing we do know, (thanks to Computer Scientist Fred Cohen) that it is impossible to perfectly detect all possible viruses.
Whenever dealing with AV's, true positives, false positives and false negatives need to be considered in order to determine how effective a certain algorithm is.
Different approaches to AV algorithm design are signature based detection, heuristics and rootkit detection. Signature based detection are the most common techniques and will be the major focus of this article.
Signature based detection algorithms rely on a dictionary containing the signatures of malware. The issue with this is that the virus needs to be reversed engineered and analyzed in order to determine characteristics of the malware's signature. The signature of a file is typically determined by the checksum of the file properties (such as file type and size), and then some amount of bytes of the binary.
Heuristic algorithms serve to detect new malware that are typically variants of a known piece of malware. These work on finding similarities between a common piece of malware and its variation. The issues with this approach is the large number of false positives, because they will require user action to a greater extent. The other issue is the large number of false negatives, which would cause a piece of malware to infect the computer. The principle is the same as a signature based detection however less specific signatures are used.
Rootkit detection is the last common method. This method scans for rootkits which are malware designed to gain administrative privileged.
With all three of these methods, the company making the AV needs to make a decision on the trade-off between resources used and viruses detected. As a result, a more minimalistic model is used which is why it is not too difficult to evade the AV. For example in a signature based detection system, typically only the first 40 bytes are actually checked.
Methods of AV Evasion:
There are several methods currently used to evade an AV and most fall back upon exploiting the minimalistic model used. Metasploit, Meterpreter and Metasploit's msfencode are very helpful in AV evasion (I chose to focus on AV evasion from a higher level and more conceptual standpoint, if you want the specifics, syntaxes and software used, just ask).
A binder works exactly how their name would suggest. They literally bind 2 (sometimes more) executable files together then generates a new binary. They will typically bind a non-malicious executable with a malicious one. The new file will take on properties of the files that went into it. When the new file is executed, it will extract the original malicious code from it and execute it. At this point the virus would have successfully evaded the AV and potentially compromised the system. Any static AV software (based on dictionaries primary, AV does not take into account variations that a heuristic kind would) would not be able to determine that the malicious code masked its signature. Furthermore the virus is now associated with signed digital certificates if it chooses certain types of files to bind to (like some kind of an installer).
A packer works similarly to a binder, however the malicious code is compressed before it is bound to a non-malicious file. At this point the virus is completely hidden from the system since the compression has changed its signature so much that even an offset in the bytes checked would not result in a true positive.
This type of software simply split an executable into different parts. This changes the checksum and even the signature making the split executable undetectable to AVs.
Converting Executable to a Client Side Script:
Converting an executable to a client side script (like vb script for Windows) typically yields a high success rate for bypassing the AV. This can be done using the .NET framework or using applications available on the Internet. The client side script isn't only limited to vb scripts, other possibilities are batch files or .swf however they have a lower success rate.
Code Obfuscation/ Code Morphing:
This is considered to be the most advanced AV evasion technique. It involves making code to confuse the AV. Certain techniques are used in code obfuscation and will be briefly explained in this article. The main goal is to prevent the AV from picking up malicious trends in the code.
-Adding Functions to the code:
Adding functions to the code, even if never used can cause the AV to consider the executable to be more purposeful and even confuse it by hiding malicious functions in between non-malicious even helpful functions (maybe even go so far into tricking the AV its software to optimize the system).
-Decreasing loop length:
AV's look for code that tries to hog system resources, so by cutting long loops out of your code, it is more likely to evade an AV. This can be done by breaking one large loop into several small ones. (If you are trying to hog resources this will do it much better than a large one anyway).
-Rewriting any shell-code used:
Add single and multi-line comments in any shell-code. This does not affect how the code runs however to an AV (assuming the file is not a binary because then there would be no comments) would naturally break the shell-code into smaller pieces and view it as less threatening if even threatening at all.
-Blocks of Arrays:
In your code build up a series of small arrays (thus less memory consuming), but as they build up they will pose a large threat on memory resources in the computer. One way to do this is to cumulatively sum the contents of each array. This should bypass the AV through code morphing, while hogging system resources.
-Embedding Encrypted Code:
Another technique is to encrypt the malicious code and attach a decrypting algorithm to it. This way it cannot be detected by the AV, but at runtime it is a fully functional malicious code targeting the system (this also prevents disassembly of the code).
Adding in jump commands, register reassignments and using NOP-insertion to change the binary's signature.
Polymorphic Malicious code:
Malicious code uses mutation to then encrypt itself to change its signature and hopefully bypass the AV.
Fake File Extensions:
Either use Class ID extensions to hide the original extension of a file, or using much simpler tricks to hopefully fool the user. These include naming the file something that the user is extremely likely to click on, using a fake file extension like .gif.vbs or even adding spaces after a fake file extension before the real one so it never is visible to the user
Countermeasures/ Protecting Yourself: Identifying Malicious Code:
All .exe's and binaries first two bytes are 'MZ'. This denotes that a file is executable (it is an MS DOS header). Furthermore, the first 27 bytes of a .exe contain the header information for that given file. The first two bytes can be determined quite easily by opening the file into notepad.
-Keep the AV on your computer up-to-date
-Never open suspicious attachments no matter how enticing the file name is
-Run a firewall
-Keep your system current with security patches
-Always scan external drives
-Set up an AV scan schedule
-Run an IPS (Intrusion Prevention System) or IDS (Intrusion Detection System)
-Stay up-to-date with malware and virus outbreaks
-Remember the AV can't do everything; users need to be responsible and only use trusted software
Thanks for reading.
I hope you found this article useful. If you have any questions contact me (by either comment or PM) and I will get back to you.
Cast your vote on this article 10 - Highest, 1 - Lowest
Comments: Published: 9 comments.
HackThisSite is is the collective work of the HackThisSite staff, licensed under a CC BY-NC license.
We ask that you inform us upon sharing or distributing.