
Bypassing Antivirus with Ten Lines of Code - svenfaw
http://www.attactics.org/2016/03/bypassing-antivirus-with-10-lines-of.html
======
rmdoss
That's a common mistake of people that do not understand how AV's work and how
virustotal work. From their own FAQ:

At VirusTotal we are tired of repeating that the service was not designed as a
tool to perform antivirus comparative analyses, but as a tool that checks
suspicious samples with several antivirus solutions and helps antivirus labs
by forwarding them the malware they fail to detect. Those who use VirusTotal
to perform antivirus comparative analyses should know that they are making
many implicit errors in their methodology, the most obvious being:

-VirusTotal's antivirus engines are commandline versions, so depending on the product, they will not behave exactly the same as the desktop versions: for instance, desktop solutions may use techniques based on behavioural analysis and count with personal firewalls that may decrease entry points and mitigate propagation, etc.

-In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since the impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.

-Some of the solutions included in VirusTotal are parametrized (in coherence with the developer company's desire) with a different heuristic/agressiveness level than the official end-user default configuration.

thanks,

~~~
JoachimSchipper
I do not understand how this is a response to the article, which doesn't make
a comparison so much as claim that all AV suck.

~~~
Natsu
It seems to say that just because something passes virustotal with 0/56
doesn't necessarily mean it would pass every AV in a real attack.

~~~
JoachimSchipper
Does the comment actually say that, though? It would make sense if the comment
said that, but e.g.

> perform antivirus comparative analyses

is not what is happening here.

~~~
grub5000
> -VirusTotal's antivirus engines are commandline versions, so depending on
> the product, they will not behave exactly the same as the desktop versions:
> for instance, desktop solutions may use techniques based on behavioural
> analysis and count with personal firewalls that may decrease entry points
> and mitigate propagation, etc.

It says right in the parent comment that the VT results may not actually
reflect how the product performs in the real world.

------
K0nserv
This is interesting for signature based AVs. More interestingly bypassing
dynamic AV engines that execute code in a sandbox seems to be fairly trivial
as well. For example allocating 100mb or memory, running a few million
iterations in a loop during startup will cause most av engines to stop
executing the code due to resource constraints. This paper is a really
interesting read on the topic[0]

0:
[http://www.sevagas.com/IMG/pdf/BypassAVDynamics.pdf](http://www.sevagas.com/IMG/pdf/BypassAVDynamics.pdf)

~~~
eru
I guess you could only fix this with a whitelist instead of a blacklist
approach.

~~~
AnthonyMouse
A whitelist might not even work. In practice whitelists end up with everything
in the world on them. It might not be that hard to find a whitelisted program
that would let you do the thing in the article just by passing it the right
arguments. Certainly anything with a buffer overflow in it would work and
there are probably a hundred other ways to do it too.

~~~
daemin
Yep, one place where I used to work, the owning company's policy had "Linux"
on its whitelist, but not "Wireshark". Even though the company was developing
software which communicated over the network in various protocols.

------
feelix
I once wrote a kernel extension that intercepted any and all file open()'s on
OS X. If the application in question was opening a file that it was not
whitelisted to do so, it would bring up a modal dialog box asking whether or
not this application should be allowed to open this file.

It was basically a firewall on the kernel level.

It worked splendidly, however, I was never able to gain any traction in
marketing it. That was back at around OS X 10.4 now. I've been waiting for
another company to come along with something similar - since it really does
seem a comprehensive way of blocking viruses (albeit more suited to more
advance uses). I'm still waiting for something like that.

~~~
ams6110
Neat, but most people will just click "yes."

See Windows Vista.

~~~
noinsight
That's what happens when the answer is "yes" 99.9999% of the time. Have you
ever seen a case where "no" is appropriate?

------
fao_
It's initially worrying, but it makes a certain amount of sense when you think
that an antivirus is a blacklist (of _known vulnerabilities_ ), not a
whitelist.

Somewhat related:
[http://security.stackexchange.com/a/117312](http://security.stackexchange.com/a/117312)

------
lqdc13
A couple of things:

\- This wouldn't work for larger payloads. AVs flag binary looking data that
is larger than a certain size and that is later processed or assigned to a
variable.

\- Their veil project has some problems. Py2EXE gets marked as malware by some
AVs in many cases just because it is Py2EXE. Same thing with non-commonly used
obfuscators. Basically, they just pick up on the fact that something is
obfuscated. If that obfuscator is not commonly used in goodware programs, it
is marked as malware. This is kind of a dumb strategy on the part of AV
engines, but it works okay.

You're not going to catch new malware with static (or dynamic for that matter)
analysis anyway. Thing is, the problem is ill-defined.

What is malware?

Is it a program that does something a user doesn't want? If users knew what
regular programs do, they wouldn't be okay with most of it either.

Is it a program that does some obfuscating tricks and exploits undocumented
functionality in the system? Plenty of legit programs including a lot of AV
engines do that as well.

The only usable definition in my opinion is that it is a program that makes
the user unhappy with no easily accessible way of removing it completely.

This is why the only solution seems to be to only allow installation from a
trusted repository. I am still not sure why Windows/Apple OSX haven't adopted
such a strategy (with a developer mode override option for some advanced
users).

~~~
Razengan
> What is malware? Is it a program that does something a user doesn't want?

OS X Sandboxing seems to have the right idea: Instead of worrying about what
the user _doesn 't_ want, _do only what the user WANTS._

Basically, sandboxed apps don't have access to files and folders other than
the ones that the user explicitly chooses in an Open/Save dialog. It's a
surprisingly nag-free opt-in mechanism that "just works."

After that, automatic backups will let users revert any undesirable changes to
their data, whether they were made by their own selves or by malware.

I think operating systems should just do a better job of making the user more
aware of all recently-modified files, especially if a process has been
modifying a large number of them in a short time (the recent ransomware comes
to mind) or if a third-party background process has been generating an uncanny
amount of network traffic.

Seeing something like "1,590 files modified" on log-on or in a notification,
is way more alarming and would make users take immediate action, compared to
all the usual OS or antivirus nags that we are all accustomed to
subconsciously agreeing to.

~~~
seanp2k2
Re: OS nags...Windows is the worst IMO since UAC basically just asks ~it looks
like you're trying to do a thing, are you sure you want to do that thing? The
"open this program FROM THE INTERNET????" nag on OSX and Win are also pretty
pointless. I've never not clicked yes, but there's not an easy way to disable
this. It looks like it CAN be disabled with registry tweaks or GPEdit:
[http://www.sevenforums.com/tutorials/182353-open-file-
securi...](http://www.sevenforums.com/tutorials/182353-open-file-security-
warning-enable-disable.html) but kind of ridiculous that it's not just an
option, given how little it increases security (how many people don't just
blindly click "open"?)

~~~
lqdc13
What if it's a browser exploit that basically got the browser to "download and
open"? Then this would be the second line of defense - something is about to
run even though you didn't know expect it to run.

~~~
ryao
The "execute downloaded executable" protection predates UAC. It was introduced
in Windows XP SP2 and UAC implemented its own version of it, which created
double prompts:

[https://blogs.msdn.microsoft.com/e7/2008/10/08/user-
account-...](https://blogs.msdn.microsoft.com/e7/2008/10/08/user-account-
control/)

That being said, the "execute downloaded executable" protection only applies
when the binaries are marked as being from the internet, which is easy to
bypass. You just need to download the software in a way that the mark is not
applied (e.g. not through a software mechanism designed to apply it).
Furthermore, attacks need not rely on "execute downloaded executable". They
just need to achieve code injection, which bypasses the need to run through
the "execute downloaded executable" process. However, any injected code would
be able to download and open without triggering UAC by not marking the file as
having been downloaded from the internet. Such file marking is entirely
voluntary and malicious code would likely never voluntarily do it.

Protection against inadvertent execution of software downloaded from the
internet is the only function in UAC that is useful. The other functions are
designed to operate on already executing software. Since already executing
software can gain system privileges (above administrator privileges) via
vulnerabilities the that Microsoft refused to fix, it can do basically
anything it wants. UAC is fairly useless against it because anything it wants
includes turning off UAC. I know enough about Windows security that I stopped
using Windows years ago, so I do not know whether UAC would require malicious
software that has gained system privileges to turn it off. If it does, it
should be a simple matter. Anyway, the hot potato proof of concept code
demonstrates gaining system privileges by exploiting such vulnerabilities:

[http://foxglovesecurity.com/2016/01/16/hot-
potato/](http://foxglovesecurity.com/2016/01/16/hot-potato/)
[https://youtu.be/Nd6f5P3LSNM](https://youtu.be/Nd6f5P3LSNM)

The video of it running on Windows 7 uses the system privileges to give a
regular user administrator privileges. There is a Windows firewall prompt that
appears in the video, but it does not stop the exploit. The appearance of the
prompt ought to be avoidable because whatever triggered the Windows firewall
prompt was not necessary for the exploit and could be removed.

------
mettamage
Is this an oversight of the AV software companies? Did no one come up with
this before? Could it be that if people did come up with this before that a
lot of Windows computers have viruses without them knowing? Is their virus
detection scheme fundamentally flawed?

Should I be shocked? Shouldn't I be? I'm currently shocked but I don't know if
it's justified, not an expert in the field.

~~~
devit
No, this is not surprising at all.

It's impossible to determine whether software is malicious or not (Rice's
theorem).

Antivirus software only reliably detects code that is identical to known
malicious software.

~~~
V-2
That's not true - there's heurystic analysis techniques, generic signature
detection etc. Of course they may not meet your definition of "reliably"

~~~
ryao
> That's not true - there's heurystic analysis techniques, generic signature
> detection etc. Of course they may not meet your definition of "reliably"

The only reliable things in security are the things that an attacker cannot
bypass even when knowing that they in use (e.g. RSA). The premise of the
article being discussed is that heuristics are trivial to bypass.

------
bitwize
You're not secure until you whitelist. And even that's not a guarantee; it's a
necessary but sufficient condition. But systems which do not run signed,
whitelisted code from boot time forward are as good as pwnt.

~~~
catnaroek
> You're not secure until you whitelist.

No, a whitelist isn't good enough. You can't anticipate an exhaustive list of
the programs the user will want to run.

What you can do, however, is enforce a policy by which programs are required
to provide machine-checkable evidence, also known as proof-carrying code
[[https://en.wikipedia.org/wiki/Proof-
carrying_code](https://en.wikipedia.org/wiki/Proof-carrying_code)], that they
respect the system's safety policy.

> it's a necessary but sufficient condition

Perhaps you mean “not sufficient”?

~~~
bitwize
Yes, that's what I meant -- not sufficient.

Whitelisting seems to be working out well for Apple. It's a big part of why
they're the most secure smartphone platform.

------
martinald
Laughable. Ages ago I realised you could just take an exploit, base64 the
contents of the binary code, save it in a string. You could then unbase64 it
and execute the binary in memory. Nothing seemed to catch it.

~~~
mschuster91
You'd still need a decoding stub which can be fingerprinted. An XOR "decoder"
is far smaller in shellcode and can be custom written in asm to reduce time-
to-first-signature.

~~~
chris_va
You could just pepper the b64 with jmp statements and randomly intersperse
your decoder code.

------
cdevs
We just need a better sandboxing environment and individual permissions per
excitable i.e. "Can this excitable connect to blah blah up?" , "can this
program read outside of its sandbox folder?"

When you don't root your android or iPhone they handle it a lot better than
desktop operating systems.

~~~
eru
Only in the newer Android releases.

------
x5a
I used to work at a large, well known AV company. While much of what other
commenters have said is true, I will note that VT is less authoritative than
some realize; the version of our product that VirusTotal was given access to
was substantively different than our normal product; features such as
sandboxing were removed.

I wouldn't be surprised if this was a common practice; we considered our
product's detection capabilities to be proprietary.

------
Uptrenda
So after the program is actually compiled into binary code do the resulting
instructions become so simple (and so fundamental to the operation of
programs) that any attempt to write a heuristics rule to stop this technique
would break thousands of programs or are heuristics just so inherently shitty
that this technique works? Because I would still think that this line here:

void *exec = VirtualAlloc(0, sizeof c, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

Would be a red flag. I don't know how many programs use that on the Windows
side of things but I have almost never seen programs call this function that
weren't "crypters."

I am honestly impressed how simple this program is (it's the most elegant
crypter I've probably ever seen) but I am still wondering whether heuristics
could be made to detect this (without also falsely detecting thousands of
other programs?) What do you think OP? Not really my field but curious all the
same.

~~~
vortico
I believe this is how JIT compilation works. So this would trigger a false
positive on the Java VM, Javascript V8 interpreter, Spidermonkey, and C#
runtime.

~~~
yoklov
Also, most emulators of reasonably modern systems. Although JITs in VMs are a
few orders of magnitude more common.

------
magoon
It'll work until a virus scanner company distributes a virus definition file
containing a signature of your offending code.

~~~
Igglyboo
And then you change the code a tiny bit and the signature doesn't catch it
anymore.

~~~
quotemstr
> change the code a tiny bit

How? That's the principle that everyone's missing! Sure, you can change the
code a bit, but the millions of copies of your worm out there already can't
magically change themselves after AV vendors update their blacklist. Sure, you
can make a polymorphic worm, but even after mutation, your worm still probably
has common patterns that blacklist makers can catch.

I'm a fan of proactive, not reactive security --- but let's not pretend that
what AV vendors are doing is completely bogus.

You also have to keep in mind that blacklists are behavior heuristics are more
suited to a bygone age --- one of low-bandwidth, sporadic connections and
floppy disks that could be infected with trojans. Nowadays, we're more worried
about drive-by 0day flash exploits from ad networks than about infected, self-
propagating executables.

I've always found it fascinating that the human immune system has _both_
proactive and reactive security, just like our computers should. The innate
immune system [1] is analogous to mandatory access control, OS file
permissions, buffer hardening, and other non-specific security mechanisms. The
adaptive immune system, on the other hand, works like a blacklist updated
throughout your life (and propagated from mother to child!).

Both systems catch threats the other does not. There's still a lot to learn
from biology.

[1]
[https://en.wikipedia.org/wiki/Innate_immune_system](https://en.wikipedia.org/wiki/Innate_immune_system)
[2]
[https://en.wikipedia.org/wiki/Adaptive_immune_system](https://en.wikipedia.org/wiki/Adaptive_immune_system)

------
Uptrenda
So what's this line all about:

((void(*)())exec)();

Type cast a void pointer to a void pointer, execute the result, then execute
the result of that? Or ... Can anyone explain what's going on here?

~~~
kondbg
This is a common way of executing shellcode in a PoC.

Exec (before the cast) points to memory containing the shellcode data.

To actually start executing the shellcode, you just need to somehow cause the
program counter to point to the address of the shellcode.

An easy way to change the program counter is by calling a function ... which
is what this line does.

Read this as "cast exec to a pointer to a function that takes zero arguments
and returns void and call the function with no arguments."

This is the same as:

    
    
       typedef void (*some_func)();
       some_func func = (some_func)exec;
       func();
    

To familiarize yourself with C syntax regarding pointers, read about the
"right-left rule" [1]

[1]
[http://ieng9.ucsd.edu/~cs30x/rt_lt.rule.html](http://ieng9.ucsd.edu/~cs30x/rt_lt.rule.html)

~~~
Uptrenda
This is insanely clever. Thanks a lot for the explanation

------
Kenji
AV is a little and often useless supplement to security, nothing more. It has
always been trivially easy for a script kiddie to write malicious software
that passes all of VirusTotal. In the decade I've been using AV, I had less
true positives than false positives (yes please auto-delete my patches,
hacktools and software I've written myself, idiot AV program) and of course
some false negatives that wrecked me because I executed them. Since I stopped
using AV and became more careful (e.g. use VM for suspicious files) I was
never infected again.

------
spydum
Can do you one better.. bypass Sophos AV in a single byte..
[https://www.youtube.com/watch?v=4xEzqISAmKI](https://www.youtube.com/watch?v=4xEzqISAmKI)

------
wepple
lets not forget that this isn't actually all that practical in practice.

It's not executing any old binary: the 'shellcode' has to be position-
independent and can't rely on any normal PE features; it has to do all it's
library loading on it's own etc.

yes, very possible to create. but if your malware/tool you want to run is
large, it will take a fair amount of time to convert.

------
elcct
Most Antivirus software makes your system work like it has a virus. Most of
them will eventually let intruder in. Waste of money in my opinion.

------
CyberDildonics
I've said it before but as hard as it might be to believe, I think smalltalk
was 30 years ahead of its time when every program was packaged inside its own
OS image.

Anti-virus bypasses and even exploits are extremely common. My current line of
thinking is that the best way to take control of your computer is to use
virtualization to run many separate OS images for different sets of uses.

~~~
feintruled
Interesting, but would have obvious drawbacks when it comes to addressing any
OS vulnerabilities or improvements - suddenly you have to reinstall ALL your
applications!

This reminds me of Nintendo's approach to emulation for their Virtual Console,
actually. Rather than having a standalone emulator that you download images
for, they package the emulator with the game. This way they never have to
worry about inadvertantly breaking anything with a future release, but on the
other hand any subsequent emulator improvements do not retroactively apply.

~~~
CyberDildonics
I think you could save and fork OS images. At the same time I would think
vulnerabilities wouldn't matter as much, but you are right that it adds
complexity to managing a system.

------
flyinghorse
Try running the binary instead of just scanning it for signatures. It will be
detected by the heuristics engines of most AVs. I'm not saying that AVs are
good but articles like this that only focus on defeating signatures while
leaving away heuristics (emulation, behavior detection, and even white listing
to some extent) don't do the subject justice.

------
cryowaffle
How many times do you plan on posting this?

~~~
gus_massa
This has been postested 3 times. From the FAQ:

> _Are reposts ok?_

> _If a story has had significant attention in the last year or so, we kill
> reposts as duplicates. If not, a small number of reposts is ok._

> _Please don 't delete and repost the same story, though. Accounts that do
> that eventually lose submission privileges._

Looking at the public available data of the 3 submitters, they look like real
independent user (not sockpuppets or something).

------
feintruled
I suppose the value in AV is that you are like one of the proverbial guys
being chased by the lion - you don't need to outrun the lion, only the other
guy. In this case, you just hope any malware hits enough other poor suckers
first that your AV of choice is updated in time to save you.

------
001spartan
Yes, this shows that antivirus is trivial to bypass. However, antivirus is not
the last word in endpoint protection. While this method can be used to get
otherwise ordinary payloads past antivirus, behavior-based detection and
application whitelisting can be used to prevent many of these attacks.

~~~
ryao
Proper security hygiene can prevent most attacks, not better antivirus
software. Proper security hygiene means:

* applying security updates

* enforcing least privilege

* reducing attack surface (e.g. Does your desktop really need open ports?)

* using decent passwords and two factor authentication when possible

* not reusing passwords in case a place where you used a password is compromised

* not executing code from untrusted sources

* checking whether code from a trusted source is vulnerable to a MITM attack before executing it

* saying no to prompts for elevated privileges unless you can prove to yourself that there is a good reason for them and finding out what caused a prompt for elevated privileges when you see no legitimate reason for it

* wiping a system should you think it might have been compromised and maybe also discarding the hardware just in case firmware was altered, which is what the US government tells US CEOs to do with things that they bring to China

* not providing confidential information (e.g. your password) just because someone claiming to be a trusted party such as IT called asking for it

That last one is how the NSA red team hacked the Pentagon's Joint Staff
intelligence directorate when doing penetration testing as part of a "war
game" in 1997:

[http://www.slate.com/articles/technology/future_tense/2016/0...](http://www.slate.com/articles/technology/future_tense/2016/03/inside_the_nsa_s_shockingly_successful_simulated_hack_of_the_u_s_military.html)

That said, there are likely more when thinking about confidentiality (the
other half of security), but these are the ones that occur to me when I think
about ensuring system integrity.

Anyway, antivirus does not save you if you fail to do any of those things.
Anything that could get by all of that would be a zero-day attack where
antivirus software is likely to be similarly useless. Not all zero-day attacks
can get past all of that (minimal attack surface is awesome). If you are the
principle target (like the Pentagon was for the NSA red team), antivirus
software has no chance of saving you against a zero-day attack.

------
awqrre
It appears that not much have changed in the last ~20 years, when looking at
mainstream antivirus software... I used to be able to move around a few
assembly instructions inside a virus to avoid detection while still
maintaining 100% of the virus' features

------
anc84
Read
[https://www.virustotal.com/en/faq/#statistics](https://www.virustotal.com/en/faq/#statistics)

