Jump to content

How does Anti Virus Work - Bypassing


Recommended Posts

I've been browsing the web trying to find ways of bypassing AV (Antivirus), the first page I visited was: https://community.rapid7.com/community/metasploit/blog/2012/05/08/eternal-sunshine-of-the-spotless-ram and then I decided to do a bit of Googling and found this: http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/

All of them require Metasploit to be ran. Anyone got any ideas of bypassing AV without the need of a secondary computer? Of course, there's the method if killing the AV UI and Service, but I'm sure AV software has ways to prevent that, and I'd also need as much information as possible about different AV software such as service name, installation path etc.

You lot have any ideas?

Link to comment
Share on other sites

It depends on what you're trying to get past the AV. Antivirus works in lots of ways, for instance a 'file shield' works by detecting known signatures within files that are being transferred to the hard disk. Many AV also have firewalls, web page scanners, email client scanners, and some even have P2P network shields.

It would help to know what it is your trying achieve, is it just executing a binary on a remote host?

Link to comment
Share on other sites

Some people use a technique called program obfuscation to change what their executable looks like, and sometimes how it functions. There are many ways of accomplishing this, but fewer programs that actually do it. Any program that is any good at masking an executable usually costs money. It is possible however to obfuscate executables if you have access to the source code, and you have a compiler that does not necessarily optimize. One way of obfuscating is adding dead code, which can be done by adding statements that do not do anything after a break or return. If the compiler optimizes however then the executable will look the same regardless, because it will strip out the code. I am not even sure how hackers do it, metasploit is involved I think. I once did a paper on the obfuscation that software developers use to make it harder to reverse engineer their programs, so there are a few differences. I think the main difference between the way hackers do it and the way software developers do is that they do it at different levels of the development process.

Link to comment
Share on other sites

Some people use a technique called program obfuscation to change what their executable looks like, and sometimes how it functions. There are many ways of accomplishing this, but fewer programs that actually do it. Any program that is any good at masking an executable usually costs money. It is possible however to obfuscate executables if you have access to the source code, and you have a compiler that does not necessarily optimize. One way of obfuscating is adding dead code, which can be done by adding statements that do not do anything after a break or return. If the compiler optimizes however then the executable will look the same regardless, because it will strip out the code. I am not even sure how hackers do it, metasploit is involved I think. I once did a paper on the obfuscation that software developers use to make it harder to reverse engineer their programs, so there are a few differences. I think the main difference between the way hackers do it and the way software developers do is that they do it at different levels of the development process.

Obfuscation does not prevent malware alerts what so ever. There are many methods of bypassing AVs and programs which do so are called crypters. I'm not familiar with the rubber ducky as I'm only just purchasing it as we speak, but common methods used in crypters are basically adding junk code to the file, breaking the file before runtime and then putting it back together when the file is being ran. I don't know a lot about the subject but I am a software developer and I do own private crypters.

I think overwraith is confusing crypters with obsfucators as he seems to be somewhat getting at the same angle as me.

Edited by xSploit
Link to comment
Share on other sites

I may be confused, but obfuscators do in fact change the way the the executable functions and how it does look at a machine code level. If I have to double check myself, then so do you.

From my point of view they do literally the same thing, which is change what the machine code looks like. The machine code is what the antivirus uses to determine whether your code has malicious intent.

The antivirus has signatures which are basically pictures of what the machine code looks like. These are what it compares to when determining whether the code is a virus.

Crypters probably do have more advanced methods of obfuscating the machine code, like encryption and polymorphic engines.

Edited by overwraith
Link to comment
Share on other sites

Hi again Lavanoid,

Check out PowerSploit and the section on Bypassing Antivirus. What this script does is it checks for a trace of an Antivirus, then the other programs kill the processes of the AV. Works great on my machines (quite extensive).

Cheers,

MB60893

Link to comment
Share on other sites

Even then, some crypters actually INCREASE the likelihood of detection due to the fact that the engine has to be in the stub somewhere so that the code can be decrypted at runtime.

That's why there are lots of EXE encryption engines, but only a few are actually used by the majority.

Link to comment
Share on other sites

Obfuscation does not prevent malware alerts what so ever. There are many methods of bypassing AVs and programs which do so are called crypters. I'm not familiar with the rubber ducky as I'm only just purchasing it as we speak, but common methods used in crypters are basically adding junk code to the file, breaking the file before runtime and then putting it back together when the file is being ran. I don't know a lot about the subject but I am a software developer and I do own private crypters.

I think overwraith is confusing crypters with obsfucators as he seems to be somewhat getting at the same angle as me.

This is not true. Obfuscation works in way that it ads bullshit code to the malware (If it's a malware you have) and can makes it Scantime FUD (Means if the AV scans it, it wont get detected), while if you run the same file that you just Obfuscated, it will not run if your "malware" is actually Runtime Detected. What a crypter does is to add deal code as you said just like the Obfuscator. Obfuscator changes variable names and such, while a crypter has 2 parts: the builder and the stub. The builder encrypts your server and binds it with the stub. When ran, the stub decrypts your server and injects your server into another process to be run.

Obfuscators should not be used to hide malware, they are really for people to make their .exe's less 'decompileable.' So the source code of the program will not be found/leaked.
I my self use Obfuscators for PDF and Doc Exploit, something which you can't crypt, but using an obfuscator you can easily bypass a few AVs.
Link to comment
Share on other sites

I reviewed the paper I wrote, and apparently there are two forms of virus inspired code obfuscation techniques, polymorphism, and metamorphism. Polymorphism is code that mutates while keeping the original algorithm intact. Metamorphic code is code that can reprogram its self. (I hope I got these definitions right)

So where would we go look to learn more about crypters?

Link to comment
Share on other sites

You are never going to be perfect with your antivirus detection and disabling techniques in any case. Your best bet is just to find a way of not triggering an AV.

Link to comment
Share on other sites

Hi again Lavanoid,

Check out PowerSploit and the section on Bypassing Antivirus. What this script does is it checks for a trace of an Antivirus, then the other programs kill the processes of the AV. Works great on my machines (quite extensive).

Cheers,

MB60893

Looking into it now... Thanks everyone.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...