Anti-Virus Evasion Techniques

Two years ago, at ESCOM IT Security Conference, organized by IDC Bulgaria, we made a presentation about evasion Anti-X programs, by using encoding techniques. It is surprising that people are still asking  how to use such methods and why some Anti-Virus vendors are not able to detect the malicious code.

First let’s talk about the reason why some of Anti-Virus systems are not able to detect the malicious code, than I will share some utilities to prepare such a program code.

Mainly it is the analysis method of the Anti-Virus program; some of them are using signature matching methods where they are looking for an exact match in their database by calculating the hash value of the malicious program and compare through the database for a match. While this is not giving a chance to have a false positive, it is quite easy to hide from. Because even if you add white bytes to a malicious code the hash value will be different. That’s the reason other Anti-Virus vendors are using Heuristic Analysis techniques. This technique is designed to detect previously unknown computer viruses, as well as new variants of viruses already on the internet.

Heuristic Analysis utilizes generally two techniques:
        1) First they are executing the commands of the program or script, which is subject to the scan, within a specialized virtual machine. In this way they are simulating what would happen if this program was executed while keeping the suspicious code isolated from the real machine. Here they are looking for activities like, file overwrites, replication, any attempt to hide itself etc.
        2) The second technique is to decompile the program code then analyze the source code. They are comparing the source code with the known malicious virus or malware database and looking for a match.

Although Heuristic analysis seems one step ahead from other vendors which are just using signature methods, there is always a chance for false positives. And because it relies heavily on past experience it may not be able to detect new viruses.

 Now let me share some commands and tools which can help you can do your own test. For this demonstration I am going to choose a payload which injects VNC Server on a remote windows machine and reverse connect to my computer. I am going to encode this payload with msfencode which comes with Metasploit project so it will not be detected by signature based Anti-Virus systems:

When somebody executes this newbackdoor.exe file it will automatically install a vnc server on the remote machine and reverse connect to myipaddress.com.tr:443.
I will upload this file to www.virustotal.com website to test.

And here are the results: 27 out of 43 Anti-Virus programs were not able to detect this backdoor program.

Finally, I’d like to give you some pieces of advice:

Be knowledgeable about viruses, worms, and malwares.
Use a good AV product, and update it regularly.
Don’t install any software from internet.
Update OS (Windows, Linux etc)
Be careful about email messages and attachments.
Don’t use p2p application like torrents, etc.
Make sure you have a firewall installed on your computer.

____________________________________________________
Deniz Kaya is a senior security instructor at New Horizons Bulgaria
Deniz has planned, directed, and coordinated multiple projects simultaneously, ensuring goals and objectives were accomplished within time limitations and funding conditions. His core competency lies in areas of penetration testing, security assessments, enterprise network design, capacity planning and vendor evaluation. Equipped with Industry recognized certification under his belt, Deniz has demonstrated his determination to continuously self-improve and make his presence felt. 

Deniz currently holds the prestigious industry certifications Microsoft Certified Systems Engineer (MCSE), Certified Cisco Systems Instructor (CCSI #31650), CCIE Security Written, Cisco Certified Network Professional (CCNP), Cisco Certified Security Professional (CCSP), Cisco Ironport Certified Security Instructor (ICSI), Cisco Ironport Certified Security Professional (ICSP), Certified Penetration Testing Specialist (CPTS), Microsoft Certified Trainer (MCT). 

♦ Contact us for information on information security courses.