Converting Programs to Bypass AntiVirus
Recently I noticed an entry by Kevin Thompson (mn_kthompson) on the Ethical Hacker Network (EHN). The author talked about Bypassing Signature based anti-virus software (http://www.ethicalhacker.net/component/option,com_smf/Itemid,49/topic,940.msg2845/#new). Although Kevin is not a malware analysis expert he outlines a few initial steps that somebody might take to accomplish anti-virus evasion. The EHN user Kev responded (http://www.ethicalhacker.net/component/option,com_smf/Itemid,49/topic,940.msg2845#msg2845) that another method to avoid detection is to use a program Packer or Crypter to modify the program.
Well, as I am also not a malware expert I decided to follow Kevin and Kev's lead and do a little modification of my own. I followed Kevin's original thought process and downloaded netcat for Windows (http://www.vulnwatch.org/netcat/). Next I downloaded a hexeditor for Windows (http://www.catch22.net/software/hexedit.asp) and the UPX program packer (http://upx.sourceforge.net/). I know that the UPX packer is very common and therefore probably very predictable but I did not want to look for a unique packer that might contain some malware itself. Lastly I needed a Windows hashing program. Luckily I already have one install called Karen's Hasher which I found through Karenware (http://www.karenware.com/powertools/pthasher.asp).
To get started I modified the nc.exe program by using the hexeditor to change the word "program" to "PROGRAM". I saved this file as nc_PROGRAM.exe. Next I used the UPX packer to pack the nc.exe program and the nc_PROGRAM.exe. I used the following commands to convert these files.
– upx.exe –brute -o nc_orig_upx.exe nc.exe
– upx.exe –brute -o nc_PROGRAM_upx.exe nc_PROGRAM.exe
Once the programs were packed I got the MD5 hash for each. Here are the results:
– nc.exe AB41B1E2DB77CEBD9E2779110EE3915D
– nc_orig_upx.exe C94BDE8E5590B4E6987FA43BDACB83DC
– nc_PROGRAM.exe 23575179C749575323868E5ADDCFE94C
– nc_PROGRAM_upx.exe BB7F9D5453F25158C5850CFBE5F01274
Of course, how could I be sure that all of these programs would still work properly? I figured that as all of these programs are executables if one thing does not work then the whole thing will not work. So, to check functionality I decided to simply ask for the help output. I ran each program with the help (-h) options. Each one gave me the same output so I am going to assume that each one is as functional as the other.
As I am running AVG Free on my system I do not have a good way to determine whether I would get the same results as Kevin did with Symantec's Norton Antivirus. What I have found in my readings of forums and other documentation is the existence of a website that will analyze an uploaded file using a plethora of antivirus software. Although I think that they included Symantec's product at one point it currently does not seem to provide this vendor. The service I am talking about is provided by VirusTotal (http://www.virustotal.com). The list of antivirus programs they use can be found through their "VirusTotal" (http://www.virustotal.com/en/virustotalx.html) link but this list is outdated and should not be used for reference. One thing I should definately point out here is the fact that even by using this service to analyze a file you should be wary of the results. VirusTotal puts it best by stating:
"VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware."
The following is the output they provide when run against each file.
nc.exe -
|
Antivirus |
Version |
Update |
Result |
|
AntiVir |
7.3.0.21 |
12.24.2006 |
no virus found |
|
Authentium |
4.93.8 |
12.22.2006 |
no virus found |
|
Avast |
4.7.892.0 |
12.21.2006 |
no virus found |
|
AVG |
386 |
12.24.2006 |
no virus found |
|
BitDefender |
7.2 |
12.24.2006 |
no virus found |
|
CAT-QuickHeal |
8 |
12.23.2006 |
no virus found |
|
ClamAV |
devel-20060426 |
12.24.2006 |
no virus found |
|
DrWeb |
4.33 |
12.24.2006 |
no virus found |
|
eSafe |
7.0.14.0 |
12.24.2006 |
Win32.HackTool |
|
eTrust-InoculateIT |
23.73.97 |
12.23.2006 |
no virus found |
|
eTrust-Vet |
30.3.3271 |
12.23.2006 |
no virus found |
|
Ewido |
4 |
12.24.2006 |
Not-A-Virus.RemoteAdmin.Win32.NetCat |
|
Fortinet |
2.82.0.0 |
12.24.2006 |
HackerTool/Nt110 |
|
F-Prot |
3.16f |
12.22.2006 |
no virus found |
|
F-Prot4 |
4.2.1.29 |
12.22.2006 |
no virus found |
|
Ikarus |
T3.1.0.27 |
12.24.2006 |
not-a-virus:RemoteAdmin.Win32.NetCat |
|
Kaspersky |
4.0.2.24 |
12.24.2006 |
not-a-virus:RemoteAdmin.Win32.NetCat |
|
McAfee |
4925 |
12.22.2006 |
no virus found |
|
Microsoft |
1.1904 |
12.24.2006 |
no virus found |
|
NOD32v2 |
1937 |
12.24.2006 |
Win32/RemoteAdmin.NetCat |
|
Norman |
5.80.02 |
12.22.2006 |
no virus found |
|
Panda |
9.0.0.4 |
12.24.2006 |
HackTool/NetCat.A |
|
Prevx1 |
V2 |
12.24.2006 |
no virus found |
|
Sophos |
4.12.0 |
12.24.2006 |
NetCat |
|
Sunbelt |
2.2.907.0 |
12.18.2006 |
no virus found |
|
TheHacker |
6.0.3.136 |
12.24.2006 |
Aplicacion/NetCat |
|
UNA |
1.83 |
12.22.2006 |
Backdoor.Delf.86C0 |
|
VBA32 |
3.11.1 |
12.24.2006 |
Backdoor.Win32.Rbot.bdu |
|
VirusBuster |
4.3.19:9 |
12.23.2006 |
Backdoor.NetCat32.C |
Additional Information
File size: 61440 bytes
MD5: ab41b1e2db77cebd9e2779110ee3915d
SHA1: 4122cf816aaa01e63cfb76cd151f2851bc055481
nc_PROGRAM.exe -
|
Antivirus |
Version |
Update |
Result |
|
AntiVir |
7.3.0.21 |
12.24.2006 |
no virus found |
|
Authentium |
4.93.8 |
12.22.2006 |
no virus found |
|
Avast |
4.7.892.0 |
12.21.2006 |
no virus found |
|
AVG |
386 |
12.24.2006 |
no virus found |
|
BitDefender |
7.2 |
12.24.2006 |
no virus found |
|
CAT-QuickHeal |
8 |
12.23.2006 |
no virus found |
|
ClamAV |
devel-20060426 |
12.24.2006 |
no virus found |
|
DrWeb |
4.33 |
12.24.2006 |
no virus found |
|
eSafe |
7.0.14.0 |
12.24.2006 |
no virus found |
|
eTrust-InoculateIT |
23.73.97 |
12.23.2006 |
no virus found |
|
eTrust-Vet |
30.3.3271 |
12.23.2006 |
no virus found |
|
Ewido |
4 |
12.24.2006 |
Not-A-Virus.RemoteAdmin.Win32.NetCat |
|
Fortinet |
2.82.0.0 |
12.24.2006 |
no virus found |
|
F-Prot |
3.16f |
12.22.2006 |
no virus found |
|
F-Prot4 |
4.2.1.29 |
12.22.2006 |
no virus found |
|
Ikarus |
T3.1.0.27 |
12.24.2006 |
not-a-virus:RemoteAdmin.Win32.NetCat |
|
Kaspersky |
4.0.2.24 |
12.24.2006 |
not-a-virus:RemoteAdmin.Win32.NetCat |
|
McAfee |
4925 |
12.22.2006 |
no virus found |
|
Microsoft |
1.1904 |
12.24.2006 |
no virus found |
|
NOD32v2 |
1937 |
12.24.2006 |
Win32/RemoteAdmin.NetCat |
|
Norman |
5.80.02 |
12.22.2006 |
no virus found |
|
Panda |
9.0.0.4 |
12.24.2006 |
HackTool/NetCat.A |
|
Prevx1 |
V2 |
12.24.2006 |
no virus found |
|
Sophos |
4.12.0 |
12.24.2006 |
NetCat |
|
Sunbelt |
2.2.907.0 |
12.18.2006 |
no virus found |
|
TheHacker |
6.0.3.136 |
12.24.2006 |
Aplicacion/NetCat |
|
UNA |
1.83 |
12.22.2006 |
Backdoor.Delf.86C0 |
|
VBA32 |
3.11.1 |
12.24.2006 |
Backdoor.Win32.Rbot.bdu |
|
VirusBuster |
4.3.19:9 |
12.23.2006 |
Backdoor.NetCat32.C |
Aditional Information
File size: 61440 bytes
MD5: 23575179c749575323868e5addcfe94c
SHA1: b8a93e394d7079cea568102ce96ddf69f0032d74
nc_orig_upx.exe -
|
Antivirus |
Version |
Update |
Result |
|
AntiVir |
7.3.0.21 |
12.24.2006 |
no virus found |
|
Authentium |
4.93.8 |
12.22.2006 |
no virus found |
|
Avast |
4.7.892.0 |
12.21.2006 |
no virus found |
|
AVG |
386 |
12.24.2006 |
no virus found |
|
BitDefender |
7.2 |
12.24.2006 |
no virus found |
|
CAT-QuickHeal |
8 |
12.23.2006 |
no virus found |
|
ClamAV |
devel-20060426 |
12.24.2006 |
no virus found |
|
DrWeb |
4.33 |
12.24.2006 |
no virus found |
|
eSafe |
7.0.14.0 |
12.24.2006 |
suspicious Trojan/Worm |
|
eTrust-InoculateIT |
23.73.97 |
12.23.2006 |
no virus found |
|
eTrust-Vet |
30.3.3271 |
12.23.2006 |
no virus found |
|
Ewido |
4 |
12.24.2006 |
Not-A-Virus.RemoteAdmin.Win32.NetCat |
|
Fortinet |
2.82.0.0 |
12.24.2006 |
HackerTool/Netcat |
|
F-Prot |
3.16f |
12.22.2006 |
no virus found |
|
F-Prot4 |
4.2.1.29 |
12.22.2006 |
no virus found |
|
Ikarus |
T3.1.0.27 |
12.24.2006 |
not-a-virus:RemoteAdmin.Win32.NetCat |
|
Kaspersky |
4.0.2.24 |
12.24.2006 |
not-a-virus:RemoteAdmin.Win32.NetCat |
|
McAfee |
4925 |
12.22.2006 |
no virus found |
|
Microsoft |
1.1904 |
12.24.2006 |
no virus found |
|
NOD32v2 |
1937 |
12.24.2006 |
Win32/RemoteAdmin.NetCat |
|
Norman |
5.80.02 |
12.22.2006 |
no virus found |
|
Panda |
9.0.0.4 |
12.24.2006 |
HackTool/NetCat.A |
|
Prevx1 |
V2 |
12.24.2006 |
no virus found |
|
Sophos |
4.12.0 |
12.24.2006 |
NetCat |
|
Sunbelt |
2.2.907.0 |
12.18.2006 |
no virus found |
|
TheHacker |
6.0.3.136 |
12.24.2006 |
no virus found |
|
UNA |
1.83 |
12.22.2006 |
Backdoor.Delf.86C0 |
|
VBA32 |
3.11.1 |
12.24.2006 |
Backdoor.Win32.Rbot.bdu |
|
VirusBuster |
4.3.19:9 |
12.23.2006 |
Backdoor.NetCat32.C |
Aditional Information
File size: 30720 bytes
MD5: c94bde8e5590b4e6987fa43bdacb83dc
SHA1: 34e0985479f2fbd9f723d3863917e0d4e1b7fe4e
packers: UPX
packers: UPX
packers: UPX
nc_PROGRAM_upx.exe -
|
Antivirus |
Version |
Update |
Result |
|
AntiVir |
7.3.0.21 |
12.24.2006 |
no virus found |
|
Authentium |
4.93.8 |
12.22.2006 |
no virus found |
|
Avast |
4.7.892.0 |
12.21.2006 |
no virus found |
|
AVG |
386 |
12.24.2006 |
no virus found |
|
BitDefender |
7.2 |
12.24.2006 |
no virus found |
|
CAT-QuickHeal |
8 |
12.23.2006 |
no virus found |
|
ClamAV |
devel-20060426 |
12.24.2006 |
no virus found |
|
DrWeb |
4.33 |
12.24.2006 |
no virus found |
|
eSafe |
7.0.14.0 |
12.24.2006 |
suspicious Trojan/Worm |
|
eTrust-InoculateIT |
23.73.97 |
12.23.2006 |
no virus found |
|
eTrust-Vet |
30.3.3271 |
12.23.2006 |
no virus found |
|
Ewido |
4 |
12.24.2006 |
Not-A-Virus.RemoteAdmin.Win32.NetCat |
|
Fortinet |
2.82.0.0 |
12.24.2006 |
suspicious |
|
F-Prot |
3.16f |
12.22.2006 |
no virus found |
|
F-Prot4 |
4.2.1.29 |
12.22.2006 |
no virus found |
|
Ikarus |
T3.1.0.27 |
12.24.2006 |
not-a-virus:RemoteAdmin.Win32.NetCat |
|
Kaspersky |
4.0.2.24 |
12.24.2006 |
not-a-virus:RemoteAdmin.Win32.NetCat |
|
McAfee |
4925 |
12.22.2006 |
no virus found |
|
Microsoft |
1.1904 |
12.24.2006 |
no virus found |
|
NOD32v2 |
1937 |
12.24.2006 |
Win32/RemoteAdmin.NetCat |
|
Norman |
5.80.02 |
12.22.2006 |
no virus found |
|
Panda |
9.0.0.4 |
12.24.2006 |
HackTool/NetCat.A |
|
Prevx1 |
V2 |
12.24.2006 |
no virus found |
|
Sophos |
4.12.0 |
12.24.2006 |
NetCat |
|
Sunbelt |
2.2.907.0 |
12.18.2006 |
no virus found |
|
TheHacker |
6.0.3.136 |
12.24.2006 |
no virus found |
|
UNA |
1.83 |
12.22.2006 |
Backdoor.Delf.86C0 |
|
VBA32 |
3.11.1 |
12.24.2006 |
Backdoor.Win32.Rbot.bdu |
|
VirusBuster |
4.3.19:9 |
12.23.2006 |
Backdoor.NetCat32.C |
Aditional Information
File size: 30720 bytes
MD5: bb7f9d5453f25158c5850cfbe5f01274
SHA1: c841e46de25d5adfffe4c41e074c62b2e86c0faf
packers: UPX
packers: UPX
packers: UPX
So, what are the real differences here? Not much really. The majority of the antivirus vendors do not consider nc.exe as a malicious program. Of the vendors that do only "eSafe" and "Fortinet" were fooled by simply modifying a few bits in the executable. This probably means that these vendors are identifying the program by its hash signature. Packing the original program did apparently bypass checks by "TheHacker" although it did cause "eSafe" to reclassify the program from "Win32.HackTool" to "suspicious Trojan/Worm." I am not sure what this actually means other than "eSafe" is identifying the fact that the program is packed and therefore labeling it as malicious. Finally, the packet version of the modified Netcat file only changes the response of the vendor "Fortinet" which now labels the program as "suspicious."
So, what are my conclusions from all of this? Well, first, simple modification and packing does not seem to affect the conclusions made by the majority of antivirus vendors. Second, it seems that the vendors "eSafe," "Fortinet," and "TheHacker" are not very consistent with their analysis of programs and therefore their results should be questioned or at least confirmed. Third, the next step is to do this with a virus in a controlled environment (which I do not have so I will not be pursuing this step) to test the conclusion of the other vendors under similar circumstances. Lastly, Kevin and Kev's steps for initially delving into the malware field are interesting and worth recreating. Keep up the good work. Y'all might not have found a way to slip flagged programs by antivirus systems yet, but y'all are definitely on the right track.
Go forth and do good things,
Cutaway
malware, UPX, packer, VirusTotal, Karenware, Netcat, antivirus, Security Ripcord, Ethical Hacker Network
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
January 7th, 2007 at 7:19 am
instead of using a virus (which you do not have) to continue experimenting with, why not use the eicar standard anti-virus test file? after all, if you’re just testing how well you can hide an arbitrary program from an anti-virus scanner all that should really matter is that you use something the scanner would normally detect – and just about everything detects the eicar standard anti-virus test file…
January 7th, 2007 at 4:43 pm
I thought about using Eicar but I decided against it. As I am not a malware expert, and want to focus on other things, there is really no point in moving forward with this test as I have accomplished my goal and I think I will gain more from reading the results of other more experienced malware experts (at least at this point). Kev from Ethical Hacker has actually already done this anyway (http://www.ethicalhacker.net/component/option,com_smf/Itemid,49/topic,821.0/) I just didn’t see it until after my post. It is obvious that most antivirus vendors use more information for their signatures than simple hashes and that the most common packerts/crypters will be included in their efforts.
I think the primary goal of this experiment (at least for me) was start thinking about ways to hide programs that might be uploaded for penetration testing. What I get out of this is that simple modification is not enough. I will either need to write my own programs to function in the same manner as tools like Netcat, or I will have to find an exploit (remote or local) that I can then use to have Metasploit or Core Impact subvert a process for me. I like this better because uploads and new processes will probably be logged and then there is more work to hide it all. If I cannot get a subverted process then I will try and use as many local programs as possible before uploading any program that I know is detected by antivirus software. I will then also probably considers some of the other aspects of anti-virus evasion methods as described in the Ethical Hacker discussion (http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,940.0/) before doing such uploads.
Thanks for your comments.
Go forth and do good things,
Cutaway