Antivirus Evasion

From Unprotect Project
Revision as of 16:25, 3 November 2016 by Admin (talk | contribs) (Technics)

Jump to: navigation, search

Technic Description

Anti-virus evasion are all the technics use by malware to evade detection by Anti-Virus


Below is a list of all the AV evasion technics in Unprotect Project:

Anti-Virus Evasion Techniques
Techniques Description
Evading signature Evading specific signature Some signature are specifically designed to catch an exploit or a specific behaviour. By reversing the signature it is possible to modify the malware to evade the signature, for example by changing the size of the payload matching, or by changing the file's header.
PE format tricks Evading signature can also be performed by modifying the PE structure (changing section names, TimeDateStamp, MajorLinkerVersion/MinorLinkerVersion, Major/Minor OperatingSystemVersion and ImageVersion/MinorImageVersion, AddressOfEntryPoint, Maximum number of sections, File length.
Evading scanner Fingerprinting emulator Fingerprint the AV emulator can allow the malware to detect the AV. For example, specific mutex can be used by the AV emulator, trying to detect it allow the sample to detect the AV.
Big file Because of the imposed file size limit, you can trick the scanner into skipping a file by changing the file’s size to make it larger than the hard-coded size limit. This le size limit applies especially with heuristic engines based on static data (data extracted from the portable executable, or PE, header)
Loading vital library for the OS Trying loading a vital library for the operating system, which is not supported by the emulator, and then calling an exported function. Just trying to load the library will fail in almost any emulator.
File format confusion Confusing file format is another trick that can be used to bypass an AV detection specific to a file format.
Evading heuristic Bypassing static heuristic By looking the structure of the PE and the content of the file, the engine is able to detect if the file is malicious or not. Some AV can be easily fool by analysing it. For example, an heuristic engine can try to figure out if a file uses a dual extension (e.g: invoice.doc.exe) and determine the file as being malicious.
Bypassing dynamic heuristic Dynamic heuristic engines are implemented in the form of hooks (in user-land or kernel-land) or based on emulation. User-land hooks (HIPS) can be easily bypass by malware by patching back the entry point of the hooked function. For kernel-land hook, malware has to run in kernel space by installing a driver or abusing a kernel-level vulnerability.
File splitter and hex editor