.

How to defeat Anti-virus

<<

Kev

Post Fri Nov 10, 2006 2:02 pm

How to defeat Anti-virus

  All hackers worth anything know how easy it is to defeat anti-virus. What worries me is the amount of security professionals I encounter that are not aware and put too much trust in it as a major part of their line of defense.  Now don’t get me wrong, I do believe you should be running it, but I feel its foolish to think just because a file passed a simple AV scan, all is ok. 
   To understand how to defeat anti-virus programs, you first need to understand how they work.  AV scanners work by recognizing malware through a digital signature of their code.  Its much more efficient to simply check each file on the hard drive against a piece of binary code “signature” in the AV’s data base. If there is a match, then the AV scanner will see it as malware. If not, it lets the file go on its merry way. 

  In order to broaden the scope of the scan, many scanners also do what they term as "heuristic" scanning.  Unfortunately, all this means is the AV will also make alerts on what they see as a near or possible match to the signature.  This can be more of nuisance than a help sometimes when the AV miss identifies a security program as a Trojan.


  So all we need to do to defeat Anti-virus is to create malware that is free of any bytes of code that can be matched to any known virus,etc…


  There are two very popular methods for this in the hacker community:
1. Write your own malware.
2.      Use a "packer / crypter"

Writing your own malware is the best choice but many hackers are weak in coding so they often rely on using a crypter instead.  Crypters are programs that take all the code from the program and apply an encryption algorithm to it.  This will confuse the AV scan because it will not be able to match the code against its database of signatures. The interesting thing about a file encrypted in this manner is that it will still function fully because the new encrypted file will include what is called a “stub”. The “stub” is a piece of code that can decrypt and cause the original file to run dynamically.

There are a few packer / crypter programs available on the internet that can be downloaded.   However, I have found that many AVs have checked these out and now include a decryption algorithm in their scanners that can see through the encryption if you use one of the better known crypters. 

The problem is, most hacker groups have at least one person that can do some basic coding and it’s very easy to code a crypter. It’s actually easier to code a crypter than write a Trojan from scratch.  If you code your own private crypter, no anti-virus will catch your malware!

   Anti-virus companies have been very slow in responding to this.  It is well know that it took over a year for them to respond to morphine. Morphine was a crypter released on www.hxdef.org&nbsp; and made just about any Trojan slip right through AV scanners.

What about now? Well as a simple test I decided to download some very readily available programs on the internet.  One program was a “make your own Trojan” program, presumably for someone that wanted to make a Trojan but had no coding skills. The second program was a program that is supposed to make your Trojan “stealth”.  While this program had some out dated things like a “byte packer”, it did have a packer/ cyrpter.   

   Ok, so I created the Trojan and named it trojan.exe.  Heck,  no one will expect anything that obvious, Ha Ha ? I then bound it to a small legitimate exe.  I had it set so once you downloaded it and click on it, all you would see is a message stating that “You have been Hacked!”.  Ok, not very original but I was rushing through this to get to the end result. 

  First test was to try and upload it to my Yahoo mail. I received the following message:

The following file has not been attached:

  trojan.exe (284k)
File infected. This file can not be cleaned. Please run a virus scan on your computer.


  Ok thats great. Yahoo’s anti-virus saved the day. Now lets take that same Trojan and pack and scramble it. This time when we try to email it we get the following message:

The following file has been attached:

  trojan.exe (284k) [Remove] No virus threat detected
Attach More Files


  I go ahead and email it to myself and download it to one of my boxes and guess what? It runs just fine!  How can this be? These 2 programs are readily available on the net if you know where to find them.

Lets check the scrambled Trojan with http://www.virustotal.com/en/indexf.html. This is a great free site that will run multiple AV scan engines against malware. We get this out put:
Complete scanning result of "trojan.exe", received in VirusTotal at 11.10.2006, 19:20:46 (CET).

Antivirus    Version      Update             Result

AntiVir        7.2.0.39      11.10.2006         BDS/CyberSpy.85.Srv
Authentium 4.93.8         11.10.2006         no virus found
Avast          4.7.892.0    11.09.2006        Win32:Cyberspy
AVG            386             11.10.2006        BackDoor.CyberSpy.I
BitDefender7.2              11.10.2006        GenPack:Generic.Malware.SFMBkbg.270B876F
CAT-QuickHeal8.00       11.10.2006      Backdoor.CyberSpy.85
ClamAVdevel-2006042611.10.2006      no virus found
DrWeb              4.33        11.10.2006      BackDoor.Generic.103
eTrust-InoculateIT23.73.5111.10.2006   no virus found
eTrust-Vet30.3.3186        11.10.2006      no virus found
Ewido             4.0              11.10.2006     no virus found
Fortinet      2.82.0.0           11.10.2006     suspicious
F-Prot         3.16f            11.10.2006          no virus found
F-Prot    44.2.1.29           11.10.2006          no virus found
Ikarus    0.2.65.0             11.10.2006        Backdoor.Win32.CyberSpy.85
Kaspersky   4.0.2.24        11.10.2006          Backdoor.Win32.CyberSpy.85
McAfee       4893            11.10.2006           BackDoor-NT
Microsoft   1.1609          11.10.2006            Backdoor:Win32/CyberSpy.E
NOD3221861 11.10.2006                        Win32/CyberSpy.85
Norman      5.80.02           11.10.2006        no virus found
Panda         9.0.0.4          11.10.2006          no virus found
Sophos      4.11.0            11.07.2006no      virus found
TheHacker  6.0.1.116     11.09.2006       Trojan/Hami
UNA         1.83             11.10.2006              .CyberSpy.85.2790
VBA        323.11.1       11.09.2006             Backdoor.Win32.CyberSpy.85
VirusBuster4.3.15:9     11.10.2006             no virus found

Remember that these tools have been available for a while on the internet so I am surprised how many AVs didn’t find it at all.

Ok, now lets scramble the code with a private cyrpter and see what happens when I scan it at this site. We get the following read out:

Complete scanning result of "trojan.exe", received in VirusTotal at 11.10.2006, 19:28:46 (CET).
Antivirus          Version        Update              Result
AntiVir           7.2.0.39         11.10.2006         no virus found
Authentium     4.93.8            11.10.2006         no virus found
Avast               4.7.892.0      11.09.2006         no virus found
AVG                386               11.10.2006         no virus found
BitDefender     7.2                11.10.2006         no virus found
CAT-QuickHeal  8.00             11.10.2006         no virus found
ClamAVdevel  -20060426       11.10.2006         no virus found
DrWeb4           .33                11.10.2006         no virus found
eTrust-InoculateIT 23.73.51 1  1.10.2006         no virus found
eTrust-Vet         30.3.3186    11.10.2006         no virus found
Ewido                4.0              11.10.2006         no virus found
Fortinet              2.82.0.0      11.10.2006         no virus found
F-Prot                3.16f           11.10.2006         no virus found
F-Prot      44.2.1.29                 11.10.2006      no virus found
Ikarus0     .2.65.0                   11.10.2006       no virus found
Kaspersky4.0.2.24                   11.10.2006       no virus found
McAfee4893                           11.10.2006       no virus found
Microsoft1.1609                       11.10.2006       no virus found
NOD32v21861                         11.10.2006       no virus found
Norman5.80.02                        11.10.2006       no virus found
Panda      9.0.0.4                     1.10.2006         no virus found
Sophos4.11.0                           11.07.2006       no virus found
TheHacker6.0.1.116                 11.09.2006       no virus found
UNA1.83                                 11.10.2006       no virus found
VBA    323.11.1                       11.09.2006       no virus found
VirusBuster4.3.15:9                   11.10.2006       no virus found

Well, that’s kind of scary! Remember that encrypting it in this method in no way inhibits that Trojan from working.

Again, I want to stress that I am not saying that AV scanners are useless and to not bother with them. I am just trying to point out that they are not the total solution to your network security. 

If you have to download something that you are not sure of, the best practice is to first download to a computer on your network that is not critical.  Open the program and then port scan that box from another computer on the network. If you find a port opening up on something you thought was just supposed to be a birthday card from a friend, well you might want to be a little concerned!!!!
Last edited by Kev on Fri Nov 10, 2006 5:00 pm, edited 1 time in total.
<<

LSOChris

Post Fri Nov 10, 2006 5:54 pm

Re: How to defeat Anti-virus

on a similar note, there is a plugin for MSF v3 meterpreter that will turn off the antivirus on the remote host, that way you can upload any trojans without setting off the AV.

way cool
<<

Kev

Post Wed Dec 27, 2006 9:29 am

Re: How to defeat Anti-virus

I haven’t played with that particular plugin for MSF v3 meterpreter. That might make an interesting video.  I normally can stop some anti-virus programs once I have a shell on a box with the NET STOP command. For instance, Net Stop “symantic Antivirus Client”.
I assume that the  plugin has some auto script for that and that’s how it accomplishes it?

Methods like that are great for an “ in and out”  kind of attack. Turn off the anti-virus and upload your Trojan. Then gather whatever info you need and then delete your Trojan and all your tracks.  You don’t want to stay too long because the moment the computer is rebooted or an Admin sees the anti-virus has been turned off, its over.
<<

LSOChris

Post Wed Dec 27, 2006 10:07 am

Re: How to defeat Anti-virus

that's pretty much what it does it just goes thru a long list of AV's to hopefully get the one that is running on the box.
<<

Cutaway

User avatar

Jr. Member
Jr. Member

Posts: 96

Joined: Mon Nov 20, 2006 5:02 pm

Post Sun Jan 07, 2007 11:42 am

Re: How to defeat Anti-virus

UPDATE: Opps, sorry, wrong post.  You can remove if you want.

I responded to a comment posted to my blog.  Here is the comment and my response.

kurt wismer
Comment @ 01/07/07 at 7:19 am

instead of using a virus (which you do not have) to continue experimenting with, why not use the eicar standard anti-virus test file? after all, if you’re just testing how well you can hide an arbitrary program from an anti-virus scanner all that should really matter is that you use something the scanner would normally detect - and just about everything detects the eicar standard anti-virus test file…


I thought about using Eicar but I decided against it.  As I am not a malware expert, and want to focus on other things, there is really no point in moving forward with this test as I have accomplished my goal and I think I will gain more from reading the results of other more experienced malware experts (at least at this point).  Kev from Ethical Hacker has actually already done this anyway (http://www.ethicalhacker.net/component/ ... pic,821.0/) I just didn't see it until after my post.  It is obvious that most antivirus vendors use more information for their signatures than simple hashes and that the most common packerts/crypters will be included in their efforts.

I think the primary goal of this experiment (at least for me) was start thinking about ways to hide programs that might be uploaded for penetration testing.  What I get out of this is that simple modification is not enough.  I will either need to write my own programs to function in the same manner as tools like Netcat, or I will have to find an exploit (remote or local) that I can then use to have Metasploit or Core Impact subvert a process for me.  I like this better because uploads and new processes will probably be logged and then there is more work to hide it all.  If I cannot get a subverted process then I will try and use as many local programs as possible before uploading any program that I know is detected by antivirus software.  I will then also probably considers some of the other aspect of anti-virus evasion methods as described in the Ethical Hacker discussion (http://www.ethicalhacker.net/component/ ... pic,940.0/) before doing such uploads.

Thanks for your comments.
Go forth and do good things,
Cutaway
Last edited by Cutaway on Sun Jan 07, 2007 11:44 am, edited 1 time in total.
Go forth and do good things,
Cutaway

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software