Malware & Antivirus Evasion

Antivirus Detection Methods

1. Signature Based

   1. Files scanned for malware signatures (Blacklist type)

   2. Cons: Changing or obfuscating contents (byte sequences)

2. Heuristics Based

   1. rules and algorithms to determine maliciousness

   2. Look through instruction set of binary & decompile source code

   3. Patterns and program calls

3. Behavior Based

   1. executing file in emulated environment --> actions that are malicious

Types of Malware

• Multipartite (multi ways of propagation)

• Stealth virus (overwrite MBR but modify the OS access function to cover tracks)

• Polymorphic (changes signature by adding random code block)

• Encrypted virus (short decryption routine – changes each infection + main code)

• Logic bomb (Triggers on a certain date, event, action)

• Service injection virus

• MBR virus (Master boot record has pointer to run stored virus code somewhere else)

File infector + companion virus(.exe to .com with same name)

Malware Analysis

• Tools: Decompiler, hex editor, debugger (IDA Pro , Ghidra)

• Static Analysis

  • Disassembly to identify malicious infra, libraries and files

  • However, might have runtime behaviour that goes undetected (file generates a string that downloads a malicious file based on a dynamic string)

• Dynamic Analysis

  • Executes file in sandbox

  • File might have conditions that lay dormant until certain conditions met

  • Memory forensics – see how it uses memory + behavioural analysis

Bypassing AV Detection

1. On-Disk Evasion

• Packers --> Compression of file size, signature changes

• Obfuscators --> reorganise, mutate code, insert irrelevant instructions, split and reorder functions

• Crypters --> Decrypting stub that decodes exe code on execution, decryption happens in memory (encrypted code on disk)

• Software Protectors --> VM emulaion detection, anti-debugging, anti-reversing

2. In-Memory Evasion (PE - Portable Executable injection)

Manipulation of volatile memory; does not write any files to disk (Here we cover only in-memory injection using POWERSHELL

• Remote Process Memory Injection

  • inject payload into legitimate PE (.exe)

  • Leveraging Set of Windows APIs

    • OpenProcess (obtain valid HANDLE to target process we have permission to access) --> etc. PowerShell.exe

    • Allocate memory in conttextt of Target process by calling windows API --> etc. VirtualAllocEx

    • WriteProcessMemory --> Copy payload to newly allocated memory

    • CreateRemoteThread --> Execute payload in memory

• Reflective DLL Injection

Regular DLL Injection loads a malicious DLL from disk using LoadLibrary API, reflective DLL loads a DLL stored by an attacker in the process memory

• LoadLibrary does not support loading a DLL from memory

• Attacker must write own version of the API that does not rely on disk based DLL

• Process Hollowing

  • Launch non-malicious process in suspended state

  • Image of process remove from memory

  • Replace with malicius exe

  • Continue process & execute malware

• Inline Hooking

  • Modifying memory & introduce a HOOK (instructions that redirect the code)

  • HOOK points execution flow to Malicious code

  • Original code executes too