Malware and Successful AV Evasion Tactics
The malware ideology, and even it's entire methodology has morphed over the last year or so. It was decided to write a piece to offer some clarity on the idea of “AV evasion”. There seems to be little in depth working knowledge of the actual various techniques used. Time for a quick lesson to give more definition to this increasingly popular malicious scripting.
Below is a list of some of the current successful antivirus evasion tactics used by malware.
Hash modification.
One way AV’s are able to detect if a file is (or contains) a known malware by calculating the file hash. It avoids this detection by changing a simple bit in the binary thus allowing the file to evade any &OR hash detections.
Specific malware signatures.
Some signatures are specifically designed to catch an exploit or otherwise spotted by specific behaviors. By only reversing the signature, it is possible for this to modify the malware so no matching patterns reside in it's signature. Just one example of this is to change the size of the payload to be matched, or else just by a manual modification to the file's header. This can easily slip past many of the more popular flavors out there. Just with what information I've written above, can be enough to slip past detection.
Hidden PE format.
Evading signature can also be performed by modifying the wind0ws PE (or the Linux ELF) file structure. Example is by changing section names within the file or simple script run to modify a Time.Date stamp.
Others include:
MajorLinkerVersion / MinorLinkerVersion
Major and Minor OperatingSystemVersion
ImageVersion / MinorImageVersion
AddressOfEntryPoint
Maximum number of sections
or the file’s length.
Fingerprint emulator.
Fingerprinting the AV emulator can allow the malware to (pre)-detect a running AV. For example, specific mutex can be used by the AV emulator in trying to detect it. This allows the file to detect an AV or it’s latest pattern db file in use.
Large files.
Because of the imposed file size limit, the scanner can be tricked the into skipping over a file by changing the size. This makes it larger than the hard-coded size limit. This size limit applies especially with heuristic scans, since they are based on static data. (Data extracted from the portable executable (PE) header).
Loads lib files. (false labeled as critical) for OS.
Trying loading a critical library for the operating system, which is not supported by the emulator, and then calling an exported function. for example, trying to load the library will fail in almost any emulators.
Format confusion.
Confusing the AV scanner by an illogical file format is another trick that can be used to bypass an AV detection.
Bypass static heuristic scans.
With the structure of the PE and the content of the file, a scanner is able to detect if the file is malicious or not. Some AV’s can be easily fooled only by analysing the file. For example, a heuristic scan can try to figure out if a file has an invalid dual extension, (e.g: invoice.doc.exe). This is a determinant factor in the file being classified as malicious.
Evading dynamic heuristics.
Dynamic heuristic scan engines are implemented in the form of hooks, (in user-land or kernel-land), or are based on emulation. User-land hooks, (aka HIPS), can be easily bypass by malware by patching back the entry point of the hooked function. For kernel-land hook, malware has to run in kernel space by installing a driver or abusing a kernel-level vulnerability.
File splitting.
An old trick is to split the malicious file into different parts and let AV analyse all of them separately, this is actually a part of the evasion tactic. Any file chunk that triggers AV is part is quarantined, this also helps the mal keep what portions i can. Then, any that triggered get a fresh rewrite, resulting a successful scan and evasion. Once all get marked as clean, they're reassembled back to the original state.
Disabling antivirus software.
Some malware can also use specific, crafted commands to disable the antivirus all together, avoiding detection.
A simple diversion tactic.
Another way for a malware is to add an exception into the antivirus.
Fake signatures.
Every exe file contain metadata that allow users to trust the third party that distribute the program. Some malware has the ability to falsify the metadata, this not only fools the user but also the AV software. There remains some security tools in Linux that are able to spot and positively ID these faked (hash) signatures. I prefer to use a tool originally developed for parsing and reading Linux ELF binaries called ELF Parser. Written by Jacob Baines, it is now open source and available For most platforms, and has a Linux and Debian kernel packages, and found ~] here [~. Prior to this, the best option was to dump the binary which leaves you with Assembly code. Still a necessity to know, but as you can see below, this tool makes this primary auditing tool works best.
The last one i will cover in this post is not new but remains quite effective with its stealth is known as..
Veil-evasion.
This is not actually a technique per say, but an open source framework. It's designed to evade AV by implementing a number of techniques such as encryption, encoding, hyperion and others. Any of these can easily be custom written, making it nearly impossible for any of today's AV scan engines or other type malware detectors to catch the malicious code.
Some various types of stealth and evasion tactics used by malware were discussed above. This is only a sampling of what can only be described as an intelligent design. Old malware was only mildly disruptive. The new strains out over the last 18-24 months has many new objectives. But at the core, they share some basic strategies: stealth, complexity, polymorphic and impressive persistence strategies. There remains much more to their multi-tiered design and agility.
If you don't remember this info, that's ok. Just try to remember the following then, it's easy. This has been repeated for the same reasons I'm about to write.If you happen across a new malware strain you will never know it. It is silent, it is smarter than you, extremely dynamic and written with pure malice. It will likely siphon all your data, any and all sensitive data (i.e. from your browser, *\AppData\, etc.) and has the ability to destroy you slowly without any knowledge. It will likely outlive your PC or even you, and will permanently delete all traces of itself as a preservation tactic, only to silently re-spawn on the next boot. Sorry to say, but it's already over at this point. Your pc likely has a new remote admin...
Below is a list of some of the current successful antivirus evasion tactics used by malware.
Hash modification.
One way AV’s are able to detect if a file is (or contains) a known malware by calculating the file hash. It avoids this detection by changing a simple bit in the binary thus allowing the file to evade any &OR hash detections.
Specific malware signatures.
Some signatures are specifically designed to catch an exploit or otherwise spotted by specific behaviors. By only reversing the signature, it is possible for this to modify the malware so no matching patterns reside in it's signature. Just one example of this is to change the size of the payload to be matched, or else just by a manual modification to the file's header. This can easily slip past many of the more popular flavors out there. Just with what information I've written above, can be enough to slip past detection.
Hidden PE format.
Evading signature can also be performed by modifying the wind0ws PE (or the Linux ELF) file structure. Example is by changing section names within the file or simple script run to modify a Time.Date stamp.
Others include:
MajorLinkerVersion / MinorLinkerVersion
Major and Minor OperatingSystemVersion
ImageVersion / MinorImageVersion
AddressOfEntryPoint
Maximum number of sections
or the file’s length.
Fingerprint emulator.
Fingerprinting the AV emulator can allow the malware to (pre)-detect a running AV. For example, specific mutex can be used by the AV emulator in trying to detect it. This allows the file to detect an AV or it’s latest pattern db file in use.
Large files.
Because of the imposed file size limit, the scanner can be tricked the into skipping over a file by changing the size. This makes it larger than the hard-coded size limit. This size limit applies especially with heuristic scans, since they are based on static data. (Data extracted from the portable executable (PE) header).
Loads lib files. (false labeled as critical) for OS.
Trying loading a critical library for the operating system, which is not supported by the emulator, and then calling an exported function. for example, trying to load the library will fail in almost any emulators.
Format confusion.
Confusing the AV scanner by an illogical file format is another trick that can be used to bypass an AV detection.
Bypass static heuristic scans.
With the structure of the PE and the content of the file, a scanner is able to detect if the file is malicious or not. Some AV’s can be easily fooled only by analysing the file. For example, a heuristic scan can try to figure out if a file has an invalid dual extension, (e.g: invoice.doc.exe). This is a determinant factor in the file being classified as malicious.
Evading dynamic heuristics.
Dynamic heuristic scan engines are implemented in the form of hooks, (in user-land or kernel-land), or are based on emulation. User-land hooks, (aka HIPS), can be easily bypass by malware by patching back the entry point of the hooked function. For kernel-land hook, malware has to run in kernel space by installing a driver or abusing a kernel-level vulnerability.
File splitting.
An old trick is to split the malicious file into different parts and let AV analyse all of them separately, this is actually a part of the evasion tactic. Any file chunk that triggers AV is part is quarantined, this also helps the mal keep what portions i can. Then, any that triggered get a fresh rewrite, resulting a successful scan and evasion. Once all get marked as clean, they're reassembled back to the original state.
Disabling antivirus software.
Some malware can also use specific, crafted commands to disable the antivirus all together, avoiding detection.
A simple diversion tactic.
Another way for a malware is to add an exception into the antivirus.
Fake signatures.
Every exe file contain metadata that allow users to trust the third party that distribute the program. Some malware has the ability to falsify the metadata, this not only fools the user but also the AV software. There remains some security tools in Linux that are able to spot and positively ID these faked (hash) signatures. I prefer to use a tool originally developed for parsing and reading Linux ELF binaries called ELF Parser. Written by Jacob Baines, it is now open source and available For most platforms, and has a Linux and Debian kernel packages, and found ~] here [~. Prior to this, the best option was to dump the binary which leaves you with Assembly code. Still a necessity to know, but as you can see below, this tool makes this primary auditing tool works best.
The last one i will cover in this post is not new but remains quite effective with its stealth is known as..
Veil-evasion.
This is not actually a technique per say, but an open source framework. It's designed to evade AV by implementing a number of techniques such as encryption, encoding, hyperion and others. Any of these can easily be custom written, making it nearly impossible for any of today's AV scan engines or other type malware detectors to catch the malicious code.
Some various types of stealth and evasion tactics used by malware were discussed above. This is only a sampling of what can only be described as an intelligent design. Old malware was only mildly disruptive. The new strains out over the last 18-24 months has many new objectives. But at the core, they share some basic strategies: stealth, complexity, polymorphic and impressive persistence strategies. There remains much more to their multi-tiered design and agility.
If you don't remember this info, that's ok. Just try to remember the following then, it's easy. This has been repeated for the same reasons I'm about to write.If you happen across a new malware strain you will never know it. It is silent, it is smarter than you, extremely dynamic and written with pure malice. It will likely siphon all your data, any and all sensitive data (i.e. from your browser, *\AppData\, etc.) and has the ability to destroy you slowly without any knowledge. It will likely outlive your PC or even you, and will permanently delete all traces of itself as a preservation tactic, only to silently re-spawn on the next boot. Sorry to say, but it's already over at this point. Your pc likely has a new remote admin...
There is much more to these than what has been described here. Believe it or not, it is for the better. Some things are better left unspoken. But if you are around or work with these samples on a daily basis, you know what these threats are and know exactly what is happening behind the scenes.
Ignorance is best from here on out. The learning curve from this point is steep and can be disturbing. I will leave any further learning up to those that choose. The decision to gain further knowledge regarding the subjects mentioned above is not mine to make for you. So politely, I will end it here.
Keep safe all, and understand that havking isn't memorizing a few fact sheets and some various, cookie-cutter syntax. It's an enormous field and takes years of focus and study, it's a form of art. It's a commitment that requires knowledge of many core concepts and learned skillz that take years to develop. It has no static answers; what you may have focused on learning for the last two months may have no purpose tomorrow. And that gives us purpose. Thx for reading, enjoy!
'd_c0
Comments
Post a Comment