Tuesday, February 23, 2010

Bypassing Antivirus using De-Obfuscation

About six months ago I was working on an idea for a new executable packer. Before I started coding, I performed some tests to see how easy current Antivirus products can be bypassed.

I chose the tool PwDump3 for testing as I did not want to handle real malware for the small test and this was sufficient as most AV products detect it as malicious software.

Two of my tests were quite simple:

Test1:
  • pack the program with upx
 Test2:
  • pack the program with upx
  • rename sections
  • add a time consuming loop to the programm, hoping that an AV scanner using generic unpacking will fail

The second test was somewhat successful - the detection rate dropped by 50%, whereas the first one did not really help bypass detection.

Now I wanted to take up the project again - checking what I did 6 months ago I also re-uploaded the testfiles to virustotal. To my surprise, these two testfiles led to almost identical results: 31/41 compared to 28/41.
As we all know and Kaspersky showed again recently, AV vendors often add detection for programs that are detected by other vendors, so one question arises: did they just add a static signature detecting my obfuscated version of the program or did the generic detection really improve?

The time consuming loop was really trivial, this is the code:

pushad
mov eax, 5
outer:
mov ecx, -1
inner:
xor ebx, ebx
loop inner
dec eax
jnz outer
popad

It should be fairly easy to detect something like that. I modified the executable so that it jumps to the end of the code section, executes the loop and then returns to the original entry point of the program.

After renaming the sections back to their original names set by UPX and replacing the loop with NOPs, I uploaded the program again. Surprisingly, only 16 of 39 scanners still detect that one, so now I bypassed 12 AV products by removing the obfuscation originally implemented...
Posted by Sven at 1:00 AM
Labels:

12 comments:

  1. UnknownSeptember 19, 2016 at 10:34 PM

    Get Free Camtasia studio 8 keygen

    ReplyDelete
  2. Danny EthanJune 1, 2021 at 9:54 AM

    This comment has been removed by the author.

    ReplyDelete
  3. Cheap Assignment WritersNovember 23, 2021 at 12:19 PM

    Your blogs are great.Are you also searching for philosophy of nursing? we are the best solution for you. We are best known for delivering nursing writing services to students without having to break the bank.

    ReplyDelete
  4. Cheap Assignment WritersNovember 23, 2021 at 12:20 PM

    Such great content.This is authentic. Are you also searching for nursing writing services login? we are the best solution for you. We are best known for delivering the best

    ReplyDelete
  5. Facebook loginJanuary 22, 2022 at 7:50 AM

    Thanks for the great post you posted. I like the way you describe the unique content. The points you raise are valid and reasonable. I am a tech support expert telling you about.
    metamask Login
    metamask wallet
    Metamask Extension

    ReplyDelete
  6. andyFebruary 9, 2022 at 6:29 PM

    AOL Mail Login My Account Sign in Tips
    my aol mail login
    How to Watch Amazon Prime Video in 2022: A Simple Guide
    amazon prime video login

    ReplyDelete
  7. TomFebruary 17, 2022 at 12:34 PM

    Hey people! If some of you really necessity assistance with essay or homework, you can ask this guys for help! They really know how to do it, and you can rescue your money and time! Check this best ghost writers and go for it! Excellent luck and have fun, my friend!

    ReplyDelete
  8. Emily BluntMarch 14, 2022 at 7:57 AM

    Customers can trade cryptocurrencies, precious metals, and national currencies with Uphold, a multi-asset digital financial company. This platform supports a variety of cryptocurrencies, including BTC, ETH, LTC, DOGE, and others. You can buy practically all cryptocurrencies, stablecoins, utility tokens, equities, national currencies, and metals with your local money. This exchange is simple to use and contains advanced security measures. With the use of the Uphold Login account, users can exchange digital assets without any issues or concerns.

    ReplyDelete
  9. Carl WoodApril 1, 2022 at 10:41 AM

    Registering for an Uphold login account is facile- all you have to do is keep a few details handy before getting to the official sign-up page and then on getting there, submit your email address, current residential nation, and in-use phone number.

    Among all the crypto wallets that exist, MetaMask login account in your browser is known to be the best in the entire Ethereum blockchain network and has quite the reputation when it comes to storing Ether and other Ethereum-based tokens (like ERC20).

    On the Kraken login platform, you can easily trade between 72 different cryptocurrencies as well as fiat currencies. The Kraken login is a legit and secured platform and the platform provides all of the tools that are in need to purchase and sell the crypto and creates a simple Bitcoin exchange that enables is suitable for beginners.

    ReplyDelete
  10. UnknownApril 18, 2022 at 9:14 PM

    Thanks for the great post you posted. I like the way you describe the unique content. The points you raise are valid and reasonable. I am a tech support expert telling you about.
    Gemini Login | Metamask Login | Blockefi Login | Coinbase Login | Uphold Login

    ReplyDelete
  11. Lilla WilkinsonJune 25, 2022 at 10:39 PM

    Thanks for joining us! Don’t let those assignments stress you if you don’t know how to complete them yourself. Read on to learn how you can benefit from our master papers custom essay writing service. Here are some groups of students who can benefit from custom paper help.

    ReplyDelete
  12. mike buxterDecember 10, 2022 at 1:56 PM

    On the site https://paperwritingservice.net/ you will find many proposals from competent authors in various academic disciplines, and the set deadlines and low cost make custom coursework services available to every student

    ReplyDelete

Subscribe to: Post Comments (Atom)