Anti-Virus Evasion TechniquesVirus Evasion TechniquesVirus Evasion Techniques andCountermeasuresCountermeasur

Anti
t -Virus Evasion Techniques and
Counte
t rmeasures
















Author: Debasis Mohanty
www.hackingspirits.com

Email ID: debasis_mty@yahoo.com

mail@hackingspirits.com

---

Ta
T ble
l o
f C
o
C nt
n ents


1.
1
INTR
T ODUCTI
T ON .......................................................................................................................... 3
2.
2
AN
A TI
T -VIRUS
S E
VASI
S ON TE
T CHN
H IQUES ...................................................................................... 4
2.1
USE OF BINDERS AND PACKERS.................................................................................................... 4
2.2
CODE OBFUSCATION .................................................................................................................... 6
2.3
CODE CONVERSION FROM EXE TO CLIENT SIDE SCRIPTS............................................................. 8
2.4
FAKE FILE TYPE EXTENSION ....................................................................................................... 9
3.
3
MALI
L CIOUS
S CODES
S I
DENTI
T FI
F CATI
T ON AND REMOVAL
L T
ECHN
H IQUES ............................ 10
1
3.1
MANUALLY IDENTIFYING MALICIOUS CODES............................................................................ 10
3.2
MANUALLY REMOVING VIRUSES AND WORMS........................................................................... 11
4.
4
COUNTE
T RME
M ASU
S RES
S AGAINST
S
T MA
M LI
L CIOUS C
ODES ......................................................... 15
1
5.
5
CONCLU
L SI
S ON ............................................................................................................................ 16
1
6.
6
ABOUT
T AUTH
T O
H R........................................................................................................................ 16
1

---

1.
1 Int
n rodu
d c
u t
c io
i n
The objective of this article is to demonstrate different possible ways that viruses
and worms coders use to evade any Anti-Virus products while coding malicious
programs and at the same time I shall also be discussing about the
countermeasures techniques to prevent against such attacks. Before I go in depth I
assume that the readers of this article are well aware of the difference between
worms and viruses.

It is not just an anti-virus product which can help protect the corporate and the end-
users from malicious program attacks but rather what is most important is the
general user awareness about such risks and general responsibility towards
defending against such attacks.

This article will also try to educate various kind computer users in the simplest way
to deal with viruses and worms and defend against such malicious attacks where
the AV engine become helpless when special techniques are used by this malicious
codes to prevent detection.

In this article I shall highlight on the following things:

Anti-Virus Evasion Techniques
Use of binder and packers
Codes Obfuscation
Code conversion from EXE to client side scripts
Fake file type extension
Malicious Codes Identification and Removal Techniques
Countermeasures against Malicious Codes

---

2.
2 Ant
n i-Vi
V rus
u
s Ev
E asi
s o
i n
o
n Techn
h i
n que
u s
As stated earlier the primary aim of this article is to educate normal computer
users and as well as corporate end-users, system administrators and security
professionals on how to dealt with malicious codes. For better understanding I shall
take you through various techniques used by these malicious codes to get past an
anti-virus product. Below given are various techniques used by viruses and worms
to evade most of the anti-virus products.

2.1 Use
s of
f binde
d rs and
d pa
p cke
k rs
Before I could discuss about how binders and packers are used for anti-virus
evasion, it is very much important to understand how an anti-virus detects any
malicious files based on its signature database.

Most of the anti-virus products create viruses or worms signature based on the file
properties and first few bytes of the malicious code binaries. It usually create a
checksum value based on the file properties and apart from that it takes first few
bytes of the binaries to create the signature for the malicious code. The signature
for a particular malicious code will look something like:


Bi
B nde
d rs
r
Binders are used to bind two or more than two EXE files to one single EXE file. It
usually binds other EXE files to itself and generates a new binary. For example the
original size of the Binder file is 20 KB and the size of the EXE to be attached is 35
KB then the final size of the new EXE generated will be 20 KB + 35 KB = 55 KB
(Refer to the figure shown below).

---

From the above figure, the Binder (File A) binds the malicious code binary (File B)
to the end-of-file (EOF). This creates another EXE (File C) which combines both File
A and File B. Now on executing File C, the file read offset sets at 20 KB and read
for rest 35KB to extracts the original malicious code binary (File B).

This is how viruses or worms can be hidden using binders and can get past
undetected by all anti-virus products. Since, the original signature of the malicious
code gets shifted to a different offset in the newly generated binary which is can
easily evade any static anti-virus products.

Few good binders available on internet are Infector v2, Exe-Maker, Exe-Joiner,
Trojan Man, Elitewrap and TOP.

Pack
c e
k rs
r (C
( ompr
p e
r ss
s o
s rs
r )
Packers works very similar to the way binders works but the only difference
between them is in case of packers the malicious binary is compressed before it gets
embedded to the packer’s binary to generate the final EXE. This makes any anti-
virus product helpless in detecting the compressed malicious binaries since, the
signature changes because of the compression.

Few good packers available on internet are Shrinker, PKlite, AS-pack, Petite, and
WWpack.

---

2.2 Co
C de
d Obfu
f sc
s a
c tion
Code obfuscation is a process where the binary of the malicious program undergoes
various transformations (Ex Code Morphing) which are undetected by anti-virus
products. There are various kinds of code obfuscation techniques like polymorphism,
metamorphism etc but in this section; I shall discuss about a technique called “Code
Morphing” which prevents anti-virus from detecting malicious patterns in the
binaries.
In case of “Code Morphing”, the malicious code is encrypted and a small routine is
embedded to decrypt the code before running the malicious code. This kind of code
obfuscation undergoes several transformations which are nondeterministic and
destroys the visible logical code structure and hence it not only prevent detection by
anti-viruses but also prevents disassembling or debugging by tools like SoftIce and
IDAPro etc. One such tool called “EXECryptor” does this kind of code obfuscation.
Various kinds of transformations used in such techniques are: NOP-Insertion, Code
Transposition (i.e. changing the order of instructions and placing jump instructions
to maintain the original semantics), and register reassignment (permuting the
register allocation). These transformations effectively change the malicious binaries
signature, inhibiting effective signature scanning by an antivirus tool.
The screenshots 2.2.1 and 2.2.2 shows the analysis done on “NetBus” Trojan horse.
Screenshot 2.2.1 displays the disassembled information before the code was
obfuscated and screenshot 2.2.2 displays the disassembled information after the
code was obfuscated. The changes in the assembly instructions are clearly visible in
screenshot 2.2.1 and 2.2.2 starting from address “00401000” till “00401006”.
Screensh
s ot
t 2
.
2 2.
2 1
. (“N
“ etB
t us”
s sig
i nat
a u
t re be
b fore code obf
b u
f sc
s at
a io
i n)

---

Since, after the code obfuscation the signature of the malicious patterns has
changed, anti-virus products fails to detect such obfuscated binaries.
Screensh
s ot
t 2
.
2 2.
2 2 (“N
“ etB
t us”
s sig
i natu
t re af
a te
t r c
ode o
bf
b us
u cati
t o
i n)


Various other tools those are popularly used by hackers and malicious code
programmers to obfuscate malicious codes are “Mistfall” by z0mbie and “Burneye”
by TESO.
Similarly, a polymorphic virus is a virus that encrypts itself, changing it's
'signature' so that it is difficult to detect by anti-virus software, by using a 'mutation
engine' to change the appearance of the virus in an attempt to evade detection and
destruction.

---

2.3 Co
C de
d co
c nvers
r i
s on fr
f o
r m EXE
X
E to cl
c ient si
s de
d sc
s ri
r pt
p s
There are techniques which can be used to convert an executable or any other file
types (like .pif or .scr) into vbs file and on execution of the vbs file the hidden binary
will get executed automatically. This can aid to malicious users to spread the
malicious programs across internet which can get past various anti-virus gateways
undetected.
Here I shall take NetBus as a sample malicious binary to hide inside a vbs file.
Below given is the screenshots 2.3.1 where the “NetBus-Server.exe” is converted
into a vbs file called “nude-britney-spears.vbs” using a program called exe2vbs
converter (by z0mbie). On execution of the vb script file, it will create an executable
which is hidden inside the script and then execute it. Screenshot 2.3.2 displays the
structure of the binary file (NetBus-Server.exe) hidden in the vbs file. Since the
signature of the malicious binary is different after the conversion, it can get past
any anti-virus product undetected.
Screensh
s ot
t 2
.
2 3.1 (
Converti
t n
i g “N
“ etB
t us-Se
S rver.e
. xe
x ”
” to
t
o *
.v
. bs
s f
il
i e
l )



Screensh
s ot
t 2
.
2 3.2 (
“N
“ etB
t us”
s s
ig
i nat
a u
t re a
f
a te
t r c
ode conve
v rsio
i n)

---

2.4 Fake
k Fil
i e Type
p Ex
E tens
n i
s on
Malicious program coder uses various attractive names such as “nude-britney-
spears.pif” or “sex-photo.jpg” while spreading the viruses and worms by emails to
trick the recipients in opening and running the attachment. Some viruses & worms
use multiple fake file type extensions to trick its victim in running the file. For
example the AnnaKournikova worm uses the fake file type extension as “.jpg.vbs”
(i.e. "AnnaKournikova.jpg.vbs") which entices the recipients into believing that they
are receiving a harmless JPG image file of the famous tennis star instead of any
malicious code. This is how fake file type names are being used by malicious
programs to get past various security filters and fool the recipient in opening the
email attachment.
One more method which malicious programmers, hackers and crackers use to fool
its victim is by using CLSID (Class ID) extension for the malicious program. This
method hides the original extension of the file.

---

3.
3 Ma
M licious
u
s Co
C de
d s
s Ide
d nt
n ifica
c tio
i n and
n
d Re
R mov
o al T
echn
h i
n que
u s
e
Most of the cases viruses and worms change their file extensions from “.exe” to some
other extensions like “.pif”, “.scr” or “.jpeg” etc to trick its victim to download such
files from internet or mails and execute it. Since, most of the cases these files are
executables they gets executed once the users click on them and infects the user’s
system.

3.1 Ma
M nually Ide
d ntify
f i
y ng Ma
M lici
c ous
s Co
C de
d s
Here I shall discuss a simple method to detect any malicious binary with a fake file
extension. This method can be used by ordinary computer user and as well as
advance network security administrators for defense against such malicious
binaries. Before we go further, it is important for the readers to know in brief about
the structure of any executable or binary (.exe).

The header information of any executable file (.exe) is present in the first 27 bytes
of the exe file. But one doesn’t have to go into so much of technical details to find
out whether a file is an executable or not. The first two bytes of any executable file
contains ‘MZ’ and is enough to prove whether a file is an executable or not. Different
file types have different header properties and these properties don’t change even if
the file extensions are changed.

Screensh
s ot
t 3.1.1 (
Executa
t b
a le
l or B
in
i ar
a y Head
a er Infor
o mat
a i
t o
i n)

---