AV bypass made stupid
Wednesday, June 2, 2010 at 11:41PM *WARNING* if you use fgdump like I did, it extracts pwdump to %TEMP% at run time, which is detected by AV.
First of all, I was floored when this worked. Really AV? It’s that easy? Really?
So here is the break down, go get “Resource Hacker”… You’re almost done. Only 3 steps left. (1 of which is optional)
I started with fgdump, a well known hashdumping/pwdump tool. It’s detected by 80% of all AVs and by all the top 10. You see this on your AV report for your domain controller, and you’re having a bad day, probably week.
Watch this magic trick though:
[*] Step 1:
Open Res Hacker and drag a “normal” executable on to the window or Open File.
Click “Save All Resources”
Essentially what you are doing in this step is simply extracting the .ico file (Icon) from the executable. Now you can do this with other tools, but we’ll be using resource hacker in a minute again, so it’s just easy to do it all with one tool.
We are done with this executable unless you are doing Step 2, in that case, leave it open, open another Res Hacker window and open your ‘evil’. (In our case, fgdump.exe)
[*] Step 2 (Optional):
If you destination executable has tell-tale signs of it’s intent, much like fgdump as seen below:
You can simply copy and paste the version info from your ‘normal’ executable into your new one and hit “Compile Script”:
[*] Step 3:
Next we need to “Add a new Resource” (our icon) into our “evil” binary.
Once this prompt comes up, select the ICO file that shows the icon you want it to have (some binaries have a ton, so make sure it’s the right one). Put in ‘1’ for resource name, and ‘1033’ for your resource language. (You can play with these values, not sure what impact they have, but from the binaries I’ve looked at those values are pretty standard for a windows executable).
Save your new awesome binary as something else, I chose vlc2.exe
And… (drum roll)
Tada! Sad isn’t it? Only 1 of the top 10 AV now detect this binary. Good job AVG and Avast! You still picked it up, but Trend, Symantec, Microsoft, ClamAV, Kaspersky, Panda, Norman, NOD32, Sunbelt, F-Secure, Fortinet, BitDefender WTF guys!?
Oh and Kaspersky now flags it as “not-a-virus” but still flags it.
Reader Comments (9)
Depending on the product.... you can just change the Product Name or Internal Name within the header and it will bypass AV as well. I think that trick is even easier than the icon swap as you are just changing out text strings.
Actually, it is in most cases not enough.. half-guessing that you used virustotal.com to verify your findings.. To the best of my understanding they only have access to signature based antimalware.. no heuristics, sandboxing, further analysis or cloud-queries..
Nice blog though, I check in every now and then.
JJ
JJ- I actually did testing on installs of a bunch of the Enterprise product trials as well, with all the default settings, this simple change got around all of the ones I tested. The problem lies in the fact that sanboxing, further analysis and cloud queries only happen when something is thought to be suspicious by the AV, or when forensics are being done in the case of sandboxing. As far as heuristics go, I don't know enough about how each vendor does that to comment, but I haven't found one that does it very well, or else it would catch custom tools as well.
Check out http://blog.hispasec.com/virustotal/22
Has some caveats for virus total and what is does and does not provide as below :)
Cool post, I RSS your Blog :) Great stuff.
Cheers,
crazytrain1978
We are rather tired of repeating that VirusTotal was not designed as a tool to perform AV comparative analyses, but as a tool that checks suspicious samples with several AV programs and helps AV labs by forwarding them the malware they failed to detect. Those who use VirusTotal to perform AV comparative analyses should know that they are making many implicit errors in the methodology, the most obvious being:
- VirusTotal AV engines are commandline versions, so depending on the product, they will not behave quite like the desktop versions: for instance, in such cases when desktop solutions use techniques based on behavioral analysis and count on personal firewalls that may decrease entry points and mitigate propagation, etc.
- In VirusTotal desktop-oriented solutions coexist with perimeter-oriented solutions; heuristics in this latter group may be more aggressive and paranoid, since impact of false positives is less visible in the perimeter. It is simply not fair to compare both groups.
Rob:
Well if it worked on major enterprise-level products then that is not a good sign. That means that a lot of the detection is not heuristic and relies on simple detection like md5-sums of the binaries (whack!).
Generic analysis of the import table, risk analysis of the combined API's as well as byte-code analysis to detect any possible anti-debugging or anti-VM techniques should detect a great deal of malware..
I've always wondered whether it would have any impact patching pad-bytes in binaries with ascii "Microsoft\0" or other major vendor names. Wouldn't surprise me if some antimalware solutions have quick 'n dirty code to reduce the amount of false positives.
if(strstr(binary,vendor[i]) != NULL) { next_binary(); }
;-)
Very true :) caveats aside, the larger players have no excuse to have holes in their net this size :) I used the same technique to modify a few command line tools using a hex editor fiddle the strings containing File Version, Company, Internal Name, Product Version etc and then tested against VirusTotal and it worked nicely :) It would be interesting to see which company’s cmd line represented tools fall for this kind of thing in relation to their size and market share. :) My guess would be that a lot of the large giants would fall into this and the smaller and leaner ones will not.
Cheers,
crazytrain1978
Hi,
What about Sophos AV?
I don't recall. Can you test it out and let us know how it goes?
Did anyone manage to compile fgdump 2.1.0 with the "revdump-whosthere-token" Patch (.diff)?