4. What your going to learn?
• Why this topic!?
• What is a malware?
• Types of Malware.
• Statistics of malware.
• Solution for malwares.
• Signature based AV.
• Heuristic based AV.
• Generations of AV.
• Standards and testing Anti-malware applications and who?
• Important terms.
• Methods to bypass AV.
• How it works?:The Background process.
• Demo for bypassing Anti-malware application.
• Conclusion.
• Mitigations.
5.
6. Why this topic!?
A dedicated module for evading and bypassing in OSCP
Module 18.
My Interest into anti-malware applications and
Malware reverse engineering.
8. Types of Malware
• Virus: A virus is a contagious program or code that attaches itself to another piece of
software, and then reproduces itself when that software is run. Most often this is spread
by sharing software or files between computers.
• Worm: A program that replicates itself and destroys data and files on the computer.
Worms work to “eat” the system operating files and data files until the drive is empty.
• Trojan: The most dangerous Malware . They mainly acts as a backdoor for an
intruder(Crackers!).
• Ransomware: It is a type of malware which restricts access to the computer system that
it infects, and demands a ransom paid to the creator(s) of the malware in order for the
restriction to be removed.
• And many more like rootkits,Adwares,Spywares,Ransomware,Browser Hijackers.
∞Purpose : They all build for damaging computers, devices (Internet of Things, Phones…)
10. Mobile Device malware statistics
**Statistics are from security bulletin 2013& for the year 2014 android has 98%.
11. Solution for malwares &Can you depend on anti-
malware solutions??
• Use of Anti-malware applications
• If anti-malware solution is good,how can I bypass it?
Ans: The malware sample has to be analyzed and a signature has to be
generated and update Database of Anti-malware application.Then it’s
good!.(Signature based Anti-malware solutions).
Disadvantage of signature based AV solutions:
• Until it’s signature is available ,it’s pretty much useless.
Solution: Heuristic based Av solution(Behaviour based)[runs in
sandbox environment]
Question arises in your mind “Can you bypass it from detecting”?
13. Heuristic Illustration
However, heuristic analysis operates on the basis of experience (by comparing the suspicious file to the code and
functions of known viruses). This means it is likely to miss new viruses that contain previously unknown methods of
operation not found in any known viruses. Hence, the effectiveness is fairly low regarding accuracy and the number of
false positives.
17. Keywords to remember before you go hunting!
• Payload: A payload refers as a component that executes a malicious
activity.
• Signature: Through which anti-virus detects the malware.
• Encoder.
• Crypter.
Next Slide
18. Encoder
• Encoder: Encoding is the process of putting a sequence of characters
into a special format for transmission or storage
purposes.eg:x86/Shikata,HTML,Base64…so on.
• Can maintain readability.
Eg:Base64
“Hello n|u” =>“SGVsbG8gbnx1”.
Decoder: Reverses the process of encoder
Eg:
“SGVsbG8gbnx1” =>“Hello n|u”.
Simple example for encoding:
English: Hello
Encoding:%48%65%6c%6c%6f(URL encoding)
Source: http://www.asciitable.com/
19. Encryption:
• Crypter: Encryption is the conversion of data into another form, called
ciphertext, which cannot be easily understood by anyone except
authorized parties. eg: AES, DES, Blow fish…so on. Can’t maintain
readability.
• Old school eg:
ABCD CEGH
Secret message:
This is a secret message =>uses AES 256 bit key
After encryption:
EnCt23782e8f79decb65f687bc6bd9ebcad8293e66a303782e8f79decb65f687bc6bdWLifDgsiEQL
bYcg4WFX864+XRc5u8ZGD2FqJtvLJNBwjlTunJ2c=IwEmS
20. Some methods to bypass AV
• DLL or Code Injection.
• Divide exe.
• Metasploit (Msfpayload+Msfencode) or Msfvenom.
• Use crypters and binder.
• Use of PowerShell as bait!(because av never stop powershell Thanks
to MS for giving Powershell).
23. Linux & Unix are safe from malware!
• Mumblehard is here!.It’s a malware that targers Linux and unix like(BSD).Came to
an end after 5 years.
24. Conclusion and mitigations
• Conclusion is that now you can bypass AV.
• Mitigations:
• 1.Keep update your AV.
• 2.Never run unknown binary files(.exe)
• 3.Use Hashes to know the genuineness of the application.
Eg: Most of the software websites provide md5(Message digest) and
SHA(Secure hashing algorithm) hashes,RSA Sig.
Md5sum in LINUX/UNIX/MACOSX ,MD5Calculator for windows
25. Mitigations
• Hashes are first line for defense!.
• No torrent or crack downloads.
• No pre-activated windows!.
• Patch your OS with new updates.(Malware take advantages of
vulnerability).
• Full system scan twice a month including rootkits.
• Quick tip: If you have no way except using crack ,use virtual isolated
machine.