Antivirus Evasion

From Unprotect Project
Jump to: navigation, search

Technique Description

Antivirus evasion are all the techniques use by malware to evade detection by Antivirus. Antivirus evasion techniques are used by malware writers, as well as by penetration testers and vulnerability researchers, in order to bypass one or more antivirus software applications. This ensures the payload the attacker wants to execute in the target machine or machines is not blocked by antivirus software and can perform the required actions.

Techniques

Below is a list of all the antivirus evasion techniques in Unprotect Project:

Antivirus Evasion Techniques
Techniques Description
Evading signature Hash calculation AV are able to detect if it's a known malware by calculating the file hash, by changing a simple bit into the binary allow the sample to evade hash detection.
Evading specific signature Some signatures are specifically designed to catch an exploit or a specific behaviour. By reversing the signature, it is possible to modify the malware to evade the signature. For example, by changing the size of the payload matching, or by changing the file's header.
PE format tricks Evading signature can also be performed by modifying the PE structure (changing section names, TimeDateStamp, MajorLinkerVersion/MinorLinkerVersion, Major/Minor OperatingSystemVersion and ImageVersion/MinorImageVersion, AddressOfEntryPoint, Maximum number of sections, File length.
Evading scanner Fingerprinting emulator Fingerprinting the AV emulator can allow the malware to detect the AV. For example, specific mutex can be used by the AV emulator, trying to detect it allow the sample to detect the AV.
Big file Because of the imposed file size limit, you can trick the scanner into skipping a file by changing the file’s size to make it larger than the hard-coded size limit. This file size limit applies especially with heuristic engines based on static data (data extracted from the portable executable, or PE, header)
Loading critical library for the OS Trying loading a critical library for the operating system, which is not supported by the emulator, and then calling an exported function. for example, trying to load the library will fail in almost any emulators.
File format confusion Confusing file format is another trick that can be used to bypass an AV detection specific to a file format.
Evading heuristic Bypassing static heuristic By looking the structure of the PE and the content of the file, the engine is able to detect if the file is malicious or not. Some AV can be easily fool by analysing it. For example, an heuristic engine can try to figure out if a file are using a dual extension (e.g: invoice.doc.exe) and determine the file as being malicious.
Bypassing dynamic heuristic Dynamic heuristic engines are implemented in the form of hooks (in user-land or kernel-land) or based on emulation. User-land hooks (HIPS) can be easily bypass by malware by patching back the entry point of the hooked function. For kernel-land hook, malware has to run in kernel space by installing a driver or abusing a kernel-level vulnerability.
File splitting An old trick consists to split the malicious file into different parts and analyse all of them separately with and AV. The chunk where the detection is still being triggered is actually the part of the file that need to change to evade the antivirus software you are targeting.
Disabling antivirus Some malware can also use specific command to disable the antivirus and to avoid detection.
Adding antivirus exception Another way for a malware is to add an exception into the antivirus.
Fake signature Every exe file contain metadata that allow users to trust the third party that distribute the program. Malware are able to usurp the metadata in order to fool the user but also the security tools.
Veil-Evasion Veil-evasion is not a technic but it is an open source framework designed to evade AV by implementing different technics such as encryption, encoding, hyperion and others.

References

The Antivirus Hacker Handbook: http://amzn.to/2pcjqGT
Practical Malware Analysis: http://amzn.to/2nXYIdP
Malware Rootkit & Botnet: http://amzn.to/2nXVI1b
Malware Analyst Cookbook: http://amzn.to/2oQYNPP
https://collaborate.mitre.org/maec/index.php/Subcapability:50
https://www.amazon.fr/Antivirus-Hackers-Handbook-Joxean-Koret/dp/1119028752
https://www.sstic.org/media/SSTIC2013/SSTIC-actes/polyglottes_binaires_et_implications/SSTIC2013-Article-polyglottes_binaires_et_implications-albertini.pdf
https://github.com/Veil-Framework/Veil-Evasion