University of PiraeusDepartment of Digital Systems«Security of Digital Systems»

Supervisor: Sokratis Katsikas

Bypassing antivirus detection with encryption

Tasiopoulos Vasilis

About Me

Studied at University of Piraeus Informatics Security in Digital Systems

Currently working KPMG as a IT Advisor and Penetration

tester

Contents

Related Research Background Knowledge-Antivirus Crypter Background Knowledge-Portable executable Background Knowledge-Portable Executable

Loader RunPE and Injection Our Implementation Results

Why?

It is easier to change crypterIt is harder to change ALL malwares

Who can use it:Penetration TestsAnyone for Legitimate purpose

Related Research

Implementation of Runtime Crypter by Christian Ammann

Packing Heat by Dimitrios A. Glynos

The Crypter BluePrint by crypters.net

Several tutorial on HackForums.net

Background Knowledge - Antivirus

Signature-based detection: Traditionally, antivirus software heavily relied on signatures to identify malware.

Heuristics: Another technique used in antivirus software is the use of heuristic analysis to identify new malware or variants of known malware.

Real-time protection: Newer antivirus software also has another mechanism called “real time” protection. It is known that some (malicious) code may be hidden, encrypted, obfuscated or even created instantly. To be able to deal with such tricks antivirus packages are also capable of monitoring and intercepting API calls and of performing a kind of "behavioral analysis". So, if a well-known process acts in an unusual manner the antivirus will mark it as suspicious.

Crypters: Types and behavior

Types:•Runtime•Scantime

Options•Internal Stub•External Stub

Crypter must:•Encrypt

Crypter’s behavior

Stub must:•Decrypt•Execute malware

Stub options:•Save in directory•Load it in memory

• Load it in stub’s process• Load in new process• Inject into another

process (optimal)

RunPE and Injection

Method discovered by T.keong

Injection:The stub is executedA new process is created in "suspended" stateThe Stub decrypts the malwareThe stub load the malware in the place of the suspended legitimate processThe process is unsuspended.

Limitation:32 bit process or 64 bit process Not in both

Different Implementations:Alternative way to call Apis Use of undocumented Apis

Our Implementation

Crypter’s TypeRuntime CrypterExternal Stub

DevelopedC#Visual Studio2500 lines of code

Encryption AES

Architecture1. User Selects the malware2. User configures the available options (optional)3. Crypter reads the malware byte per

byte4. Encrypting malware5. Crypter reads the Stub6. Adding assembly info to stub (optional)7. Encrypting injection path8. Adding injection process path to

stub9. Reading selected RunPE10. Adding startup code to stub (optional)

11. Adding Hide code to stub (optional)12. Removing comments from stub13. Adding Fake message to stub (optional)14. Adding Junk Code to stub (optional)15. Adding Fake Apis to stub (optional)16. Add decompression code to stub (optional)17. Adding Addi-… code to stub (optional)18. Randomizing class, function,

variable names and add them to stub and to RunPE

19. Adding Encryption Key to stub

Architecture

20. Compiling RunPE as DLL21. Reading DLL22. Encrypting DLL23. Compressing encrypted DLL(optional)

24. Adding encrypted Malware and DLL ass resources to stub

25. Adding Icon to stub(optional)26. Compiling Stub as executable27. Adding Eof data to executable (optional)

Architecture

Stub after execution:Read Encrypted DLLDecrypt DLLLoad DLL in memoryRead Encrypted malwareDecrypt malwareCall DLL for decrypted malwareMalware inject to another process

Key PointsUnique codeInjection implemented in encrypted DLLRandom Function Names, Class names, Variable namesEncrypted Strings

Result:Unique Executable

Architecture

Crypters GUI and Options

Crypters GUI and Options

Crypters GUI and Options

The lab: Windows XP 32/64 bit - Avast/AVGWindows Vista 32/64 bit – Kaspersky/NortonWindows 7 32/64 bit –Microsoft Security Essential/ESET

Online Scannerhttp://nodistribute.comhttps://www.metascan-online.com

Files TestedNetcat.exeDarkomet malwarePoison Ivy

Results

Results

Virus Injection MethodWindows Version

RunPE Choice Working Detection Notes

Darkcomet CSC 32bit 3 YES 0/40

Darkcomet CSC 64bit 3 YES 0/40

Darkcomet CSC 32bit 2 YES 0/40

Darkcomet CSC 64bit 2 YES 0/40

Darkcomet CSC 32bit 5 YES 0/40

Darkcomet CSC 64bit 5 YES 0/40

Darkcomet CSC 32bit 6 YES 0/40

Darkcomet CSC 64bit 6 YES 0/40

Darkcomet Default Browser 32bit 5 YES 0/40 Mozilla

Darkcomet Default Browser 64bit 5 YES 0/40 Mozilla/Chrome

Darkcomet Default Browser 32bit 5 YES 0/40 Internet explorer

Darkcomet Default Browser 64bit 5 YES 0/40 Internet explorer

Darkcomet svchost 32bit 5 YES 0/40

Darkcomet svchost 64bit 5 YES 0/40