Sep 10, 2014

Bypassing Anti-Virus - Packers, Crypters & Other Techniques

Once in a while I need to evade anti-virus systems. For whatever reason you need to make an executable or virus undetectable, there are different ways to achieve this. Our goal is to make an executable Fully UnDetectable (FUD). In this post I will briefly point out different tools and techniques to reach this goal.




First things first: There are different scenarios we could cover. One major differentiation is if we want to target a 32-bit or a 64-bit system

Once you tried to make your executable FUD you can upload it to virustotal and have it checked against various anti-virus systems. Be aware though that virustotal distributes your executable so it won't stay FUD for long. 

Keep in mind that anti-virus solutions work in various ways, some use heuristics while others utilize signature detection or both. The techniques and tools below will mostly help against signature detection.

We start off with the easy scenarios and work our way towards more complex ones.

32-Bit Targets


MSFencode

MSFencode comes as part of the metasploit framework. Different encoders are available and you can direct different forms of input into MSFencode (e.g. raw input coming from MSFpayload or custom executables). However, what MSFencode does is randomizing parts of the executable as well as the starting point and adding some NOP sleds to it.
MSFencode works best with MSFpayload. It does not offer the best level of stealth although it is very easy to apply.

Click here for an example.

Hyperion

Hyperion works as a PE crypter. That means that it applies a weak 128-bit AES key which is brute-forced when the file gets executed. Yeah, it's really that simple! It offers a pretty solid level of evasion and is easy to apply.

Click here for a more detailed tutorial.

Veil

The Veil framework uses different techniques to target Windows platforms. It offers a simple command line interface to interact with the tool and aims at creating Meterpreter connections. However, the framework heavily relies on Python and may require you to convert some Python files into executables (e.g. via Py2Exe).

Click here to check out Veil.

(Custom) Open-Source Packer

You can use an Open-Source packer to compress and obfuscate your executable. However, using a plain packer won't do you much good because this technique is so obvious that all anti-virus companies have adjusted to the freely available packers. What works very well on the other side is taking an Open-Source packer and adjusting the code slightly in such a way that the packed executable will differ from an executable packed by the original Open-Source packer you used. Where this is slightly more difficult it also offers an increased level of stealth.
Commercial packers / crypters often use this approach. The authors of such packers alter Open-Source packers or crypter and offer to apply their packers to make paying customers' executables FUD.

UPX is an example for Open-Source packers.


64-Bit Targets


The 64-bit techniques also apply for the 32-bit targets but not vice versa.

MSFencode... Again

MSFencode offers one encoder for 64-bit systems: x64/xor. All things mentioned about MSFencode above in the 32-bit section also apply here. There is one more caveat: The x64/xor sometimes fails if the executable is too small in certain parts. If this happens the part of the executable in question has to be increased manually. Which brings us to...

Manual Hex Edit

This method involves some more effort and knowledge. You have to open the executable with a hex editor and alter that part of it which is detected by the anti-virus signature. While doing this you have to make sure that you don't alter any vital functions making the executable practically useless.
This technique often comes with trial & error. There are plenty tutorials out there describing how to use hex editors.

An example for making an executable FUD via hex editing can be found here.

Nebbett's Shuttle

An advanced technique to avoid anti-virus detection is sometimes called Nebbet's Shuttle after its creator Gary Nebbett. It allows executing a program directly from memory and therefore making it difficult to detect. The method launches a process in a suspended state. Once a process is in suspended state, its process memory can be overwritten by a new executable and can be resumed. This is an advanced technique however. 

More information can be found here and in this presentation from BlackHat.

2 comments:

  1. Great post!
    I know that there were a reported 1491 data security breaches (made public) in the United States over the last three years. So data security is a truly burning problem. Recently I came across the useful site on that issue - virtual data room reviews

    ReplyDelete
  2. The quickest and most straightforward route is to run antivirus programming. Notwithstanding that, you ought to likewise ensure that you have an infection evacuation device introduced in your framework. how to remove zepto file virus

    ReplyDelete