Blog: How-Tos

Defeating corporate anti-virus

Ken Munro 20 May 2014

Introduction

Anti-virus products aren’t as good at detecting viruses and malware as many would claim. Even anti-virus vendors are questioning the future of their own products. We demonstrated how easy it is to modify malware code to evade detection by A/V, using readily available tools, some freeware, some commercials.

We also showed how many A/V vendors failed to update their detection signatures and/or engines in light of new samples that had been shared with them 12 months earlier. To do this we seeded fresh malware samples into publicly shared virus databases, in an attempt to identify which products and manufacturers responded to these new “threats”, and which ones failed to detect them at all.

We ran a live demonstration where we compared results from around 50 A/V products in real time, submitting the samples for evaluation and generating detection results live on stage. Evasion of A/V and delivery of exploits to a desktop user were shown in real time, and no, we didn’t need to write a ‘zero day’ exploit to do this. We discussed low-cost mitigation, such as freeware honeypots, that can be used to gather samples and also detect an attacker should they actually get on to your network.

What did we show?

  • Which were the most effective A/V products and which are the most responsive to new and current threats?
  • How to better defend your network and users from malware threats; know what to look for and where to find it.
  • Gathering and using tools to independently evaluate A/V products; be sure that you buy a good anti-virus product at your next renewal.

How do you collect current virus samples to test?

If you are comfortable with using your own corporate network to collect malware then skip this part. If that idea makes you nervous (and it should, no matter how seasoned you are) then read on.

Build a honeypot, or “production honeypot” as Wikipedia would have us call it. Maybe add a honeynet too. Take a look at www.honeynet.org for further reading and resources on these.

Put the honeypot on a subdomain (xyz.yourdomain.com) configured to offer fake vulnerable services. Make very sure it’s completely isolated from your business network though! One of the most popular VMWare images from the Honeynet Project is a Windows 2003 Server that appears vulnerable to MS08-067; the vulnerability in the Windows Server Service that Conficker exploited. You can then sit and see what those naughty script kiddies send you. Here are a few that we gathered this week for the demonstration:

Trojan-FDPE!Gamarue!81110BE20624
Trojan-FBJW!253E2F0B40CC
StartPage-NY!27777B5E27BC
RDN/Generic PWS.y!yz!86A3148A16B1
RDN/BackDoor-FBSA!a!298CAF9EDD27
Pasta!2A2DC8DEA7C0
Generic Dropper.cx!816BEB41D329
Generic Downloader.x!293504A51E9F
BackDoor-FEH!7EFE2A167DE9
PWS-Banker.gen.b!7A4D7AD8AB53

…but these are clearly ‘script kiddie’ level samples – easy to detect, widely known.

Using honeynets for gathering more advanced malware

If you want to gather more interesting malware samples you’ll need to entice a spear phisher, and that’s where a honeynet comes in.

Make up some names and set up some fake email aliases for them on your domain, maybe for a non-existent Director’s PA, or a fake administrator in the accounts department. Possibly a design engineer that might work on creating intellectual property? The idea is that you would then spread these names and email aliases around the internet, making them appear genuinely human. Create bogus social media accounts, maybe ghost write from them in the odd forum, that type of thing. When the attacker researches your organisation, they find these ‘individuals’ and customise their attack, mailing them their cleverly built malware.

…except that the victims are fake, and when the email arrives, you know it’s dodgy.

Malware packing

You will also see more interesting malware samples arrive at your honeypot. These will include samples that have been ‘packed’, often using freeware packers.

A quick analysis with the PEiD analysis tool (Packed Executable Identification) gives us basic pointers towards what is being used by script kiddies to pack malware at the moment.

What is a packer, and how could you use one?

There are different types of portable executable (PE) file packers which function in varying ways. A straightforward PE packer just compresses files or .exes. A PE crypter encrypts its contents to prevent them from being disassembled, and to stop reverse engineering and theft. A PE protector looks after its contents to prevent them from being debugged. One or more of these functions can be available in one packer, depending on which one you use.

Most packers compress and/or encrypt their portable executable’s headers. These are then stored in new section headers and a new entry point is assigned where a decompression algorithm then goes to work, and carries on executing. This is what disguises the signature that the A/V uses to try and detect the malware with.

In terms of the process, the actual unpacking occurs in MEMORY. There is no file system access. This means that as far as the script kiddie is concerned it’s pretty much the ideal delivery mechanism; stealthy and clean.

If you want more technical detail of packers, you could start here, http://en.wikipedia.org/wiki/Executable_compression though there are extensive resources on the internet. The Veil-Framework project https://www.veil-framework.com/ by Chris Truncer is also well worth a read.

Some packers

Not all packers are created equal. Some are useful purely because of serendipity. They just happen to have qualities that are interesting to an attacker. For example, the game developers favourites MoleBox and Phoenix Game Protection were built to carry development games in .exe states, to prevent interception and piracy.

Others such as Veil-Evasion are dedicated pieces of software designed to deliver payloads beyond perimeter detection. They are ideal for delivering malware in to an organisation, particularly by email.

This is a selection of packers that are most commonly used for A/V evasion:

PolyCryptPE http://www.teamfurry.com/wordpress/2007/02/06/unpacking-polycryptpe/ (Page now dead)

Still available from various download sites, but not supported directly any more, this packer provides encryption and debug protection.

PolyCrypt

PECrypt http://www.primewares.com/BitShape_PE_Crypt-11495.html (Page now dead)

This MS Windows specific packer is a crypter that uses multiple types of encryption. It was also designed to detect SoftICE (a kernel mode debugger) and cease functioning if it encountered.

PECrypt

UPX (Ultimate Packer for eXecutables) http://upx.sourceforge.net/

This freeware packer does just one job, it compresses to a high ratio and decompresses quickly.

UPX

MoleBox http://www.molebox.com/

This packer was designed for developers from the ground up. It encrypts and compresses, and runs it’s .exe in a virtual environment.

Molebox

Hyperion http://www.nullsecurity.net/tools/binary.html

This PE crypter is unusual in that it uses weak AES encryption, and essentially throws away the keys. Its output is an encrypted executable. When that output file is run, the executable brute forces the encryption keys, and then runs the now decrypted executable.

Hyperion

Veil-Evasion https://www.veil-framework.com/framework/veil-evasion/

This is more of a payload generator than a packer, which generates virtually undetectable or payloads.

Veil

What is the VirusTotal API, and why is it useful?

VirusTotal maintains a current licence to around 50 mainstream anti-virus products. You can upload a sample and see who detects it as malware – very useful if you’re concerned about a suspicious file. You just sign up and generate an API key, there’s no need to use the web interface.

There are various python scripts around to help you interact with VirusTotal. There is a rate limit though, 4 submissions per minute. You can request more if you need to. A good idea is to use the avsubmit.py script (http://code.google.com/p/malwarecookbook/source/browse/trunk/4/4/avsubmit.py), as it handles submissions to other aggregators such as ThreatExpert too. A more advanced type is https://malwr.com/, where you can upload samples and it will do a basic analysis for you.

VirusTotal does indeed show you that lots of vendors seem to deal well with malware threats, but what happens when you pack those threats and run them through again?

Here’s what happened…

We started with Metasploit’s Meterpreter reverse shell, as it’s a widely recognised and extremely capable backdoor. This was used to show how easy it is to deliver an exploit via email and create a back door on the victim’s machine. We outputted Meterpreter to VBA script code, this was then imported into an Office document and enabled to run macros.

We chose the .xlsm file extension for the attachment, as we had success bypassing FireEye with this file type around 18 months ago. This issue was reported to the vendor and fixed within 4 weeks. Next, we packed the same Meterpreter shell back door with several different packers to see how detection varied between A/V engines. Each of the samples was submitted live to VirusTotal API to run it past 51 mainstream A/V products.

Finally, we had seeded VirusTotal last year with some new malware samples. One year later, we then tried exactly the same samples live during the demo to see which vendors had detected the sample. Note that Virus Total shares all samples uploaded to it with the anti-virus community, so long as at least one product flags it.

The following 5 samples were uploaded live at Infosecurity Europe 2014:

# Description Results
1. Unencoded/unpacked Meterpreter shell, for reference detection. 33/51 detected. Pretty poor, given how well known Metasploit and the Meterpreter shell is.
2. A UPX packed version of the above. 37/51 detected. Some detected the packer, not the malware itself.
3. The Windows notepad.exe file, packed with UPX. 17/51 detected the packer again, not the binary (which in this case is a legitimate Windows app). This leads to high false positive rates when crypto packers are used for legitimate purposes, such as protecting code from piracy!
4. Meterpreter shell packed with PolyCrypt. 20/51 detected. This is a script kiddie tool that fools many A/V engines.
5. Meterpreter shell packed using Veil-Evasion, but with a custom written template. 3/51 detected. This sort of hardcore packing defeats pretty much everything. No mainstream A/V products detected this.

 

NOTE: Please do not upload samples packed with Veil-Evasion using the standard templates to Virus Total. It will affect much of the good work that Chris Truncer and others have been doing.

Does A/V detection improve with time?

One year ago we used a sample of three different packing methods for our Meterpreter shell, to better evaluate the vendor’s capabilities.

The second was packed with the nullsecurity team’s Hyperion. This is a portable executable (PE) crypter that is encrypted using AES encryption using a 128-bit key.
We also packed it with MoleBox (VS). This is a dedicated code packer that also functions as a virtual file system. It’s used by game and software developers to protect their intellectual property.

The results

Bear in mind that these are exactly the same samples as were uploaded a year ago, with the same MD5 checksum

File type Meterpreter shell outputted to VBA script code, then imported into an Office document and enabled to run macros Hyperion packed Meterpreter shell MoleBox packed Meterpreter shell
Date April 2013 | April 2014 April 2013 | April 2014 April 2013 | April 2014
Number of vendors detecting it 4 of 51       | 14 of 51 19 of 51     | 33 of 51 10 of 51     | 29 of 51
Improvement rate 5% 7% 10%
Comments McAfee & Symantec are the only mainstream vendors to detect it. Still being missed by McAfee & Symantec. Most detected the packer, not the payload. Missed by Symantec

 

Look at those improvement rates! Not terribly impressive is it?

In one year, after we made the information to vendors via VirusTotal, the best they could manage between them was an improvement by 10%, and that wasn’t even for the payload.

Bearing in mind that this data is readily available to them the results might make your toes curl a little.

Summary

We found that by packing malware with a free tool like Veil-Evasion we could bypass all mainstream anti-virus products, including some very big name vendors.

Now that the signatures are on Virus Total you’d really think that detection would have improved wouldn’t you?
But it hasn’t.

Bearing in mind the flaws and failings we found we strongly recommend that you ask your A/V vendor to stop adding advertising footers to your emails. By sticking something like this on every outbound email you’re basically telling an attacker what malware they are likely to be able to use against you:

This email has been scanned by the XYZ anti-virus service.
For more information please visit http://www.XYZcloud.com

What you can do

Anti-virus: Evaluate your own A/V products using the VirusTotal API.
If it helps we can give you custom scripts to run.
Packers like Hyperion, mpress, UPX are available online, but be careful where you download them from! MoleBox is also worth trying, but remember the $150 price tag.

IPS/IDS: Test run some REAL malware samples.

We are happy to send you some samples, but be VERY careful, and isolate your test environment. Use TCP Replay to avoid causing real infections, and ensure the consistency of test cases.

Contact us: We can give you a hand running your evaluations.

Conclusion

Anti-virus simply isn’t enough by itself. It’s an important part of your defences, but just a part.

Do evaluate the products you use regularly, particularly so at renewal time. It’s quite fun to watch their sales rep squirm too!

DISCLAIMER: As these could potentially harm your network/work stations/mobile devices etc, PTP cannot take any responsibility for any adverse effects that these tests my cause. It is recommended that you understand the potential consequences before attempting this.