Antivirus Evasion for dummies
Long time huh? I just updated my website and i am hoping that you will like the new look and feel. I have been working recently on tons of AV solutions, trying to get the insight of how can one evade detection without using any crypters or obfuscation. Ahh, i know the topic is a bit touchy or you may think why am i discussing AV bypasses at the first place. Frankly, while conducting a penetration test ( the formal name given to breaking into systems) we may come across plenty of protection mechanisms such as AVs / Firewalls and much more. Keeping in mind this equation i thought of sharing the most basic AV evasion techniques( Just to understand how AV thing work). For this specific topic, we will use ClamAV (Open Source and fun to play with).
However, the methods apply to all AV solutions(All you need to decode are the signatures using good unpackers).
The Setup:
We will be using the latest ubuntu while having ClamAV installed over it.
The Sample:
For the demo, i will be using a random CVE 2010-3333 sample which is detected on almost every odd AV solution.
The Idea:
Since the idea is not to obfuscate the file but to reverse the signatures and find what is being detected. We will keep it simple and make use of sigtool (comes along with ClamAV) to unpack the signatures. Having the decoded signatures, we can simply run a scan over the infected file which will let us know the exact signature causing the detection, in some cases, the signature will only be the hash of the infected file which can easily be bypassed by just appending a space to the document. In other cases, it may detect a pattern in the file. In such cases, we will see how we can find what the antivirus is looking for and correct it in our malicious payload. let's jump into the demo as follows:
As shown in the demo, we can easily bypass signature based detections and patterns looked for by the AV solutions.
Note: This tutorial is for educational purposes only, the idea of such tutorials is to educate newbies and security enthusiasts to build effective signatures and get a little know-how about Antivirus solutions.
 |
| ClamAV Logo |
The Setup:
We will be using the latest ubuntu while having ClamAV installed over it.
The Sample:
For the demo, i will be using a random CVE 2010-3333 sample which is detected on almost every odd AV solution.
The Idea:
Since the idea is not to obfuscate the file but to reverse the signatures and find what is being detected. We will keep it simple and make use of sigtool (comes along with ClamAV) to unpack the signatures. Having the decoded signatures, we can simply run a scan over the infected file which will let us know the exact signature causing the detection, in some cases, the signature will only be the hash of the infected file which can easily be bypassed by just appending a space to the document. In other cases, it may detect a pattern in the file. In such cases, we will see how we can find what the antivirus is looking for and correct it in our malicious payload. let's jump into the demo as follows:
Note: This tutorial is for educational purposes only, the idea of such tutorials is to educate newbies and security enthusiasts to build effective signatures and get a little know-how about Antivirus solutions.
No comments: