Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bypassing antivirus detection with encryption

Published byMadeline Cole Modified over 9 years ago

Similar presentations

Presentation on theme: "Bypassing antivirus detection with encryption"— Presentation transcript:

1 Bypassing antivirus detection with encryption
University of Piraeus Department of Digital Systems «Security of Digital Systems» Bypassing antivirus detection with encryption Tasiopoulos Vasilis Good afternoon I am Vasilis tasiopoulos and I am going to present you the research that I did during my master thesis with Mr Sokratis Katsika. The title is … Supervisor: Sokratis Katsikas

2 About Me Studied at University of Piraeus Currently working
Informatics Security in Digital Systems Currently working KPMG as a IT Advisor and Penetration tester Before that I will say some things about me . I have studied at University of Piraeus in the department of informatics and then I did my master with title Security in Digital Systems in the department of digital systems. I am also certified with OSCP from Offencive Security and ISO27001 from TUV. Now I am currently working at KPMG as an IT advisor and especially as a penetration tester

3 Contents Related Research Background Knowledge-Antivirus Crypter
Background Knowledge-Portable executable Background Knowledge-Portable Executable Loader RunPE and Injection Our Implementation Results Now lets start Here we can see the outline of this presentation .

4 Why? It is easier to change crypter
It is harder to change ALL malwares Who can use it: Penetration Tests Anyone for Legitimate purpose There are a lot of times in my work as pentester that I must persuade someone that antivirus software does not provide ultimate security. So why we need Crypters . There are a lot of virus out there that antivirus can identify and we cannot use anymore. So … What if we could create something (I mean the crypter ) that can encrypt any malware and then if It gets identified by an antivirus we just need to change the crypter.

5 Related Research Implementation of Runtime Crypter by Christian Ammann
Packing Heat by Dimitrios A. Glynos The Crypter BluePrint by crypters.net Several tutorial on HackForums.net Here we se related research in this subject that helped us in making our crypter.

6 Background Knowledge - Antivirus
Signature-based detection: Traditionally, antivirus software heavily relied on signatures to identify malware. Heuristics: Another technique used in antivirus software is the use of heuristic analysis to identify new malware or variants of known malware. Real-time protection: Newer antivirus software also has another mechanism called “real time” protection. It is known that some (malicious) code may be hidden, encrypted, obfuscated or even created instantly. To be able to deal with such tricks antivirus packages are also capable of monitoring and intercepting API calls and of performing a kind of "behavioral analysis". So, if a well-known process acts in an unusual manner the antivirus will mark it as suspicious. Before we continue we must say some things about antivirus and the mechanisms that detect malwares just to know what we must evade. We have …. We also have …. And newer antivirous have an option called ….

7 Crypters: Types and behavior
Runtime Scantime Options Internal Stub External Stub A Runtime Crypter encrypts the specified file and when executed (run), it is decrypted in memory. In this way antivirus packages are incapable of analyzing the file before and after execution. A Scantime Crypter encrypts the specified file so that antiviruses become unable to analyze the file only before executed, but NOT when executed. Crypter must: Encrypt

8 Crypter’s behavior Stub must: Decrypt Execute malware Stub options:
Save in directory Load it in memory Load it in stub’s process Load in new process Inject into another process (optimal)

9 RunPE and Injection Method discovered by T.keong Injection:
The stub is executed A new process is created in "suspended" state The Stub decrypts the malware The stub load the malware in the place of the suspended legitimate process The process is unsuspended. Limitation: 32 bit process or 64 bit process Not in both Different Implementations: Alternative way to call Apis Use of undocumented Apis But just loading the malware to the memory is not enought . It is better to inject the malware in a legitimate process. This can be done with a method discovered by T.Keong . The method follow the below steps : This method exist for many years and has been extensively used for crypters and malwares and thats why we need modify it in order to bypass antivirus. Alternative way to call Apis Use of undocumented Apis

10 Our Implementation Crypter’s Type Runtime Crypter External Stub
Developed C# Visual Studio 2500 lines of code Encryption AES Sting pass to md5 >output 128 > pass to aes as key .

11 Architecture User Selects the malware Removing comments from stub
Adding Hide code to stub (optional) Removing comments from stub Adding Fake message to stub (optional) Adding Junk Code to stub (optional) Adding Fake Apis to stub (optional) Add decompression code to stub (optional) Adding Addi-… code to stub (optional) Randomizing class, function, variable names and add them to stub and to RunPE Adding Encryption Key to stub User Selects the malware User configures the available options (optional) Crypter reads the malware byte per byte Encrypting malware Crypter reads the Stub Adding assembly info to stub (optional) Encrypting injection path Adding injection process path to stub Reading selected RunPE Adding startup code to stub (optional) We have included several options to our crypter . This options are the ones that are stated as optional .

12 Architecture Compiling RunPE as DLL Reading DLL Encrypting DLL
Compressing encrypted DLL(optional) Adding encrypted Malware and DLL ass resources to stub Adding Icon to stub(optional) Compiling Stub as executable Adding Eof data to executable (optional) RunPE is compiled as a DLL because we want to encrypt and load it directly in memory . This can be made is because we have created it with managed code. And .Net framework can do the work for us.

13 Architecture Stub after execution: Read Encrypted DLL Decrypt DLL
Load DLL in memory Read Encrypted malware Decrypt malware Call DLL for decrypted malware Malware inject to another process

14 Architecture Key Points Unique code
Injection implemented in encrypted DLL Random Function Names, Class names, Variable names Encrypted Strings Result: Unique Executable

15 Crypters GUI and Options

16 Crypters GUI and Options

17 Crypters GUI and Options

18 Results The lab: Online Scanner http://nodistribute.com
Windows XP 32/64 bit - Avast/AVG Windows Vista 32/64 bit – Kaspersky/Norton Windows 7 32/64 bit –Microsoft Security Essential/ESET Online Scanner Files Tested Netcat.exe Darkomet malware Poison Ivy

19 Results Virus Injection Method Windows Version RunPE Choice Working
Detection Notes Darkcomet CSC 32bit 3 YES 0/40 64bit 2 5 6 Default Browser Mozilla Mozilla/Chrome Internet explorer svchost

Download ppt "Bypassing antivirus detection with encryption"

Similar presentations

Sample chapter from https://training.zdresearch.com Reverse Engineering Course.

Sample chapter from Reverse Engineering Course.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
CSCE 145: Algorithmic Design I Chapter 1 Intro to Computers and Java Muhammad Nazmus Sakib.

CSCE 145: Algorithmic Design I Chapter 1 Intro to Computers and Java Muhammad Nazmus Sakib.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Software Certification and Attestation Rajat Moona Director General, C-DAC.

Software Certification and Attestation Rajat Moona Director General, C-DAC.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.

ROOTKIT VIRUS by Himanshu Mishra Points to be covered Introduction History Uses Classification Installation and Cloaking Detection Removal.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 7: Advanced File System Management.
Chapter 9 Security 9.7 - 9.8 Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
Anti Virus Techniques Jordan & Ryan Use of Checksum The Binary for key files is added up to a number especially in the boot files When these files are.

Anti Virus Techniques Jordan & Ryan Use of Checksum The Binary for key files is added up to a number especially in the boot files When these files are.
1 Panda Malware Radar Discovering hidden threats Technical Product Presentation Name Date.

1 Panda Malware Radar Discovering hidden threats Technical Product Presentation Name Date.
Masud Hasan 03-60-475 Secure Email Project 1. Secure Email It uses Digital Certificate combined with S/MIME capable email clients to digitally sign and.

Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.
Beyond Anti-Virus by Dan Keller 1987- Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”

Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”
Code Injection and Software Cracking’s Effect on Network Security Group 5 Jason Fritts Utsav Kanani Zener Bayudan ECE 4112 Fall 2007.

Code Injection and Software Cracking’s Effect on Network Security Group 5 Jason Fritts Utsav Kanani Zener Bayudan ECE 4112 Fall 2007.

Similar presentations

Ads by Google