The document provides an overview of how anti-virus software works and techniques used to bypass antivirus detection. It discusses how antiviruses use signature-based, heuristic-based, behavioral, and sandboxing techniques to detect malware. It also explains common techniques used to evade detection like packers, splitters, code obfuscation, and injection. The document concludes that while antivirus has improved, virus creators continually develop new methods to bypass protections and that additional security measures are still needed.
2. Agenda
+ Introduction
+ Anti-virus: how they actually work?
+ Anti-virus detection techniques
+ PE Portable Executable –simplified
+ !%##$*@@$ where the signatures are stored?
+ Anti-virus Bypassing Techniques
+ Conclusion
3. Introduction
• Anti-virus software has in true sense evolved a
lot since last decade.
• Time has gone where AVs only supported
“string based detection”
6. Introduction
• Even though our AVs detects and eliminates
the newly discovered viruses then why we
see such a great number of viruses
increasing each year ?
• Are the Virus coders so stupid ?
7. Some really smart people (Hackers/Crackers)
already know how to bypass AVs protection
8.
9.
10. Anti-virus: How they actually work
• Now a days AV scans our system on real-time
basis.
• Information is analyzed based on the origin of
the information i.e. source of information.
• Operates differently depending upon source
of information.
11. Anti-virus working from top level view.
If the file is found malicious then the
information will not be copied onto the
destination location. (Here destination in
our case is HD)
12. One of the two possibilities takes place
• When the data is found to be legitimate, the
scanner forwards that data to the destination
location.
• When virus is detected then a warning is sent
to UI for user`s action. Interface may vary.
13. Process flow of working of AV.
AV scanner,
scanning
information on
real time.
14. AV detection techniques(Scan Engines)
• Signature Based detection (also sometimes
called as “string based” detection)
• AV maintains a dictionary of the signatures of
known Viruses, malwares, spywares etc.
• This dictionary is stored at client side and is
usually in binary.
• Next-generation signature based detection
• Disadvantage ?
16. Heuristic based Detection
• Used to detect new, unknown viruses in your
system that has not yet been identified.
• Based on the piece-by-piece examination of a
virus.
• Looks for the sequence of instruction that
differentiate the virus from ‘normal programs’
17. Behavioral based detection
• Just observes how the program executes,
rather than merely emulating its execution.
• Identify malware by looking for suspicious
behavior.
• Works similarly as Behavioral HIDS.
• Disadvantage ?
18. Sandboxing Based detection
• What is “sandbox” ?
• Isolate the files which are to be scanned and
monitors their activity.
19. PE Portable Executable- Simplified
• Do you think that an executable file is one
single file ?
• PE or Portable executable is a file format for
executables, object code, dlls used in 32bit
and 64bit versions of windows operating
system.
21. Where you can find PE?
• When you explore your executable in some
debugger like Olly debug or your executable in
some hex editor then you can view it.
23. Where the signatures are stored?
• When we examine the any executable with
some hex editor or some debugger we can get
the file signature.
• It is not necessary that malicious file signature
are found only in MZ header, it may be
present in any of the sections just explained.
25. Caution!! AV bypassing techniques
This are those
techniques that the
hackers and
crackers already
knew.
These are:
• Binders and packers
• Using splitter
• Code conversion from EXE to
client side script
• Code obfuscation
• Using metasploit framework
• Code or DLL Injection
27. • Packers: Similar to binders but just one
difference.
Popular Binders and Packers are Infector v2, Exe
Maker, Exe Joiner, Elitewrap and UPX etc.
available widely on internet.
Note: These techniques are not effective now a
days..
28. Splitting the File
• These are those programs that split a single
files into no. of small sized files.
29. • One may change some code into some small
chunked file to evade AV detection and again
join it and scan it to check whether AV flags it
malicious or not. A trial and Error method..
• POC
30. Code conversion from exe to client
scripts
One may convert file to client side scripts which
are also executable.
But again needless to say that this technique is
also not full proof.
31. Code Obfuscation
• This simply means transforming the code into
some other form.
• There are many ways for code obfuscation, major
are:
1. Polymorphism
2. Metamorphism etc.
32. Using metasploit framework
• Using metasploit framework also one can
easily bypass AV.
• Here the code is encoded and a decoding
routine is added in code itself. Upon executing
the code is first decoded and then it is run
• Note: Encoding and decoding are different.
33. • Msfencode: It is useful tool that alters the code in
an executable so that it looks different to
antivirus software but will still run the same way.
34.
35. Code or DLL Injection
• What the heck is Code or DLL Injection
• Most stealth method till now for POST
exploitation phase in pentesting.
36. Conclusion
• As mentioned afore AV has really evolved a lot
but at the same time the techniques to bypass
the detection has also evolved.
• Installing AV and thinking that you are safe
would be not more than a stupidity.
• Virus coders will always look for different ways
or means to evade any anti-virus products and
infect the systems.
37. Conclusion
• One may install a real-time port monitor to
identify any malicious virus that may have
bypassed AV detection.
• One may also implement strict policies,
maintaining update routines and look for
existing vulnerabilities in system which may be
exploited.
38. References
1) Real time virus reporting http://bitdefender.com/resourcecenter/real-time-reporting
2) Online malware and spyware scanning portal: virus total http://www.virustotal.com
3) Two ways to prevent viruses entering your computer. http://www.netsecurity.org/article.php?id=485&p=1
4) A whitepaper on Injector Mask or a Tool, 2010 by Amit Malik
5) Signature based scanning. http://blogs.avg.com/business/signature-based-detection/
6) Heuristic based scanning http://techinicalplanet.blogspot.in/2013/02/antivirus-mechanism.html
http://www.pandasecurity.com/usa/homeusers/support/card/?Id=7&idIdioma=2&Ref=TechPortal
7) Sandbox http://searchsecurity.techtarget.com/definition/sandbox
8) PE file format http://win32assembly.programminghorizon.com/pe-tut1.html
9)PE Sections http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/pefile2.html
10) Olly Debugger (Ollydbg) www.ollydbg.de/version2.html
10:1) White paper on Bypassing Anti-virus Scanners by Internet Security Team
11) UPX: The ultimate packer http://upx.sourceforge.net/
12) Blackhat USA presentation, 0wning Anti-virus by Alex Wheeler and Neel Mehta
13) http://upx.sourceforge.net/
14) Audit Results of famous AVs by Alex Wheeler and Neel Mehta
15) 4 types of vulnerabilities in Anti-viruses: Whitepaper on Attacking Anti-virus by Feng Xue, Technical
Lead, Nevis Labs.