Antiviruses, which are part of protection from cyber attacks that are increasing exponentially every day, are software that we use to prevent any malicious software from infecting our devices. Antiviruses, one of the most basic layers of providing security, use 2 different types of techniques on our devices. These are Static and Dynamic techniques.
Static Techniques
- String Check
Antiviruses keep the signatures of previously detected malware in databases. When examining a file, they first get the signature of the file and then search it in the database. If there is a match with any signature, the file is quarantined and deleted. This process usually takes place on the disk.
- Signature Check
Strings in programs can give information about the program. For example, if there are String expressions such as “cmd.exe, Host, Port” in a program, it most likely thinks it is malware and quarantines it and deletes it. Apart from antiviruses, malware analyzers look at Strings.
Dynamic Techniques
- Code Re-Use
Antiviruses check whether the static or dynamic pattern of previously caught malware is present in the scanned program. For example: If we encrypt the meterpreter payload and store it in a program, and decrypt and execute it at runtime, the antivirus will say and detect what this program does at runtime is the same or very similar to the meterpreter.
- Scoring System
With the dynamic analyzes it performs in antiviruses, modern solutions (Sandbox etc.), it tries to find answers to questions such as which system APIs the program interacts with, which processes it communicates with, what it is doing on the network. After the analysis, a score is given to the program. According to the score, the user can be asked what to do, the program can be quarantined or sent to the cloud servers of antiviruses.
How to Bypass Anti-Virus?
When we examine the techniques I mentioned above, we see that in dynamic and static analysis, comparisons are mostly made with previously caught malware, so in this case, we see that a newly written malware is not very effective in protecting computers. EDR products ensure the security of our systems.
In this case, we can say that the uniqueness of our program, that is, developing a new malware for ourselves, is one of the most important ways to bypass the antivirus. In this section, I will talk about techniques for both hiding our original code and hiding common malware.
We can apply 2 important actions to our malware to bypass some dynamic analysis techniques, String checks, variable name checks and signature checks performed by antiviruses. Adding “Junk code” and performing “Code obfuscation”
- Adding Junk Code
It is the extra code that works without interfering with the actual function of the program. Performing certain operations repeatedly by malicious software reduces the detection potential of antivirus programs, but with Junk code, this possibility can be greatly reduced by adding unnecessary codes in between
Example code::
- Code Obfusaction
We should not put the variable names, important Strings (cmd.exe, PORT, HOST, etc.) we use in the code into the code as they are. For example, we can encrypt it and decrypt it while the code is running.
Example code::
The image below contains the source code of the malware that provides access to an ordinary meterpreter shell, which is included in the group of (FUD) malware developed by us using .Net technology.
Disclaimer
Dear visitor,
This blog post is for information purposes and has been prepared with the aim of raising awareness against attacks and taking measures in this direction. We remind you that it is not legal to use the information in this article outside of its purpose, we recommend you to apply it in your test environments beforehand. Otherwise, we declare that CyberArts is not responsible for any errors, deficiencies or malfunctions that may arise in your systems due to this situation and cannot be held responsible for direct or indirect damages and losses that may arise from them.
Regards,
CyberArts Bilisim A.S.
