Antivirus Bypass Techniques E-Book

Antivirus Bypass Techniques

Learn practical techniques and tactics to combat, bypass, and evade antivirus software

Nir Yehoshua Uriel Kosayev

BIRMINGHAM—MUMBAI

Antivirus Bypass Techniques

Copyright © 2021 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Wilson Dsouza

Publishing Product Manager: Mohd Riyan Khan

Senior Editor: Rahul Dsouza

Content Development Editor: Sayali Pingale

Technical Editor: Sarvesh Jaywant

Copy Editor: Safis Editing

Project Coordinator: Ajesh Devavaram

Proofreader: Safis Editing

Indexer: Pratik Shirodkar

Production Designer: Alishon Mendonca

First published: June 2021

Production reference: 1180721

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

978-1-80107-974-7

www.packt.com

Recommendation

"Antiviruses have always been a hindrance for threat actors and red teamers. The book Antivirus Bypass Techniques illustrates various techniques that attackers can use to evade antivirus protection. This book is a must-read for red teamers."

– Abhijit Mohanta, author of Malware analysis and Detection Engineering and Preventing Ransomware

Contributors

About the authors

Nir Yehoshua is an Israeli security researcher with more than 8 years of experience in several information security fields.

His specialties include vulnerability research, malware analysis, reverse engineering, penetration testing, and incident response.

He is an alumnus of an elite security research and incident response team in the Israel Defense Forces.

Today, Nir is a full-time bug bounty hunter and consults for Fortune 500 companies, aiding them in detecting and preventing cyber-attacks.

Over the years, Nir has discovered security vulnerabilities in several companies, including FACEIT, Bitdefender, McAfee, Intel, Bosch, and eScan Antivirus, who have mentioned him in their Hall of Fame.

Special thanks to my mentor, Shay Rozen, for supporting this book in many ways.I've known Shay from my earliest days in the cybersecurity field and have learned a lot from him about security research, cyber intelligence, and red teaming. I can gladly say that Shay gave me the gift of the "hacker mindset," and for that I am grateful.Thanks, Shay; I'm honored to know you.

Uriel Kosayev is an Israeli security researcher with over 8 years of experience in the information security field. Uriel is also a lecturer who has developed courses in the cybersecurity field. Uriel has hands-on experience in malware research, reverse engineering, penetration testing, digital forensics, and incident response. During his army service, Uriel worked to strengthen an elite incident response team in both practical and methodological ways. Uriel is the founder of TRIOX Security, which today provides red team and blue team security services along with custom-tailored security solutions.

Big thanks to Yaakov (Yaki) Ben-Nissan for all of these years, Yaki is a great man with much passion and professionalism. These two characteristics make him who he is: a true hero and a true mentor. To me, you are more than just a mentor or teacher.

Thanks for being always there for me, with all my love and respect.

Reviewer

Andrey Polkovnichenko

Table of Contents

Preface

Section 1: Know the Antivirus – the Basics Behind Your Security Solution

Chapter 1: Introduction to the Security Landscape

Understanding the security landscape

Defining malware

Types of malware

Exploring protection systems

Antivirus – the basics

Antivirus bypass in a nutshell

Summary

Chapter 2: Before Research Begins

Technical requirements

Getting started with the research

The work environment and lead gathering

Process

Thread

Registry

Defining a lead

Working with Process Explorer

Working with Process Monitor

Working with Autoruns

Working with Regshot

Third-party engines

Summary

Chapter 3: Antivirus Research Approaches

Understanding the approaches to antivirus research

Introducing the Windows operating system

Understanding protection rings

Protection rings in the Windows operating system

Windows access control list

Permission problems in antivirus software

Insufficient permissions on the static signature file

Improper privileges

Unquoted Service Path

DLL hijacking

Buffer overflow

Stack-based buffer overflow

Buffer overflow – antivirus bypass approach

Summary

Section 2: Bypass the Antivirus – Practical Techniques to Evade Antivirus Software

Chapter 4: Bypassing the Dynamic Engine

Technical requirements

The preparation

Basic tips for antivirus bypass research

VirusTotal

VirusTotal alternatives

Antivirus bypass using process injection

What is process injection?

Windows API

Classic DLL injection

Process hollowing

Process doppelgänging

Process injection used by threat actors

Antivirus bypass using a DLL

PE files

PE file format structure

The execution

Antivirus bypass using timing-based techniques

Windows API calls for antivirus bypass

Memory bombing – large memory allocation

Summary

Further reading

Chapter 5: Bypassing the Static Engine

Technical requirements

Antivirus bypass using obfuscation

Rename obfuscation

Control-flow obfuscation

Introduction to YARA

How YARA detects potential malware

How to bypass YARA

Antivirus bypass using encryption

Oligomorphic code

Polymorphic code

Metamorphic code

Antivirus bypass using packing

How packers work

The unpacking process

Packers – false positives

Summary

Chapter 6: Other Antivirus Bypass Techniques

Technical requirements

Antivirus bypass using binary patching

Introduction to debugging / reverse engineering

Timestomping

Antivirus bypass using junk code

Antivirus bypass using PowerShell

Antivirus bypass using a single malicious functionality

The power of combining several antivirus bypass techniques

An example of an executable before and after peCloak

Antivirus engines that we have bypassed in our research

Summary

Further reading

Section 3: Using Bypass Techniques in the Real World

Chapter 7: Antivirus Bypass Techniques in Red Team Operations

Technical requirements

What is a red team operation?

Bypassing antivirus software in red team operations

Fingerprinting antivirus software

Summary

Chapter 8: Best Practices and Recommendations

Technical requirements

Avoiding antivirus bypass dedicated vulnerabilities

How to avoid the DLL hijacking vulnerability

How to avoid the Unquoted Service Path vulnerability

How to avoid buffer overflow vulnerabilities

Improving antivirus detection

Dynamic YARA

The detection of process injection

Script-based malware detection with AMSI

Secure coding recommendations

Self-protection mechanism

Plan your code securely

Do not use old code

Input validation

PoLP (Principle of Least Privilege)

Compiler warnings

Automated code testing

Wait mechanisms – preventing race conditions

Integrity validation

Summary

Why subscribe?

Other Books You May Enjoy

Preface

This book was created based on 2 and a half years of researching different kinds of antivirus software.

Our goal was to actually understand and evaluate which, and how much, antivirus software provides good endpoint protection. We saw in our research a lot of interesting patterns and behaviors regarding antivirus software, how antivirus software is built, its inner workings, and its detection or lack of detection rates.

As human beings and creators, we create beautiful and smart things, with a lot of intelligence behind us, but as we already know, the fact – the hard fact – is that there is no such thing as perfect, and antivirus software is included in that. As we as humans develop, evolve, learn from our mistakes, try, fail, and eventually succeed with the ambition of achieving perfection, so we believe that antivirus software and other protection systems need to be designed in a way that they can adapt, learn, and evolve against ever-growing cyber threats.

This is why we created this book, where you will understand the importance of growing from self-learning, by accepting the truth that there is no 100-percent-bulletproof security solutions and the fact that there will always be something to humbly learn from, develop, and evolve in order to provide the best security solution, such as antivirus software.

By showing you how antivirus software can be bypassed, you can learn a lot about it, from it, and also make it better, whether it is by securing it at the code level against vulnerability-based bypasses or by writing better detections in order to prevent detection-based antivirus bypasses as much as possible.

While reading our book, you will see cases where we bypassed a lot of antivirus software, but in fact, this does not necessarily suggest that the bypassed antivirus software is not good, and we do not give any recommendations for any specific antivirus software in this book.

Who this book is for

This book is aimed at security researchers, malware analysts, reverse engineers, penetration testers, antivirus vendors who are interested in strengthening their detection capabilities, antivirus users, companies who want to test and evaluate their antivirus software, organizations that want to test and evaluate their antivirus software before purchase or acquisition, and other technology-oriented individuals who want to learn about new topics.

What this book covers

Chapter 1, Introduction to the Security Landscape, introduces you to the security landscape, the types of malware, the protection systems, and the basics of antivirus software.

Chapter 2, Before Research Begins, teaches you how to gather antivirus research leads with well-known dynamic malware analysis tools in order to bypass antivirus software.

Chapter 3, Antivirus Research Approaches, introduces you to the antivirus bypass approaches of vulnerability-based antivirus bypass and detection-based antivirus bypass.

Chapter 4, Bypassing the Dynamic Engine, demonstrates the three antivirus dynamic engine bypass techniques of process injection, dynamic link library, and timing-based bypass.

Chapter 5, Bypassing the Static Engine, demonstrates the three antivirus static engine bypass techniques of obfuscation, encryption, and packing.

Chapter 6, Other Antivirus Bypass Techniques, demonstrates more antivirus bypass techniques – binary patching, junk code, the use of PowerShell to bypass antivirus software, and using a single malicious functionality.

Chapter 7, Antivirus Bypass Techniques in Red Team Operations, introduces you to antivirus bypass techniques in real life, what the differences between penetration testing and red team operations are, and how to perform antivirus fingerprinting in order to bypass it in a real-life scenario.

Chapter 8, Best Practices and Recommendations, teaches you the best practices and recommendations for writing secure code and enriching malware detection mechanisms in order to prevent antivirus bypassing in the future.

To get the most out of this book

You need to have a basic understanding of the security landscape, and an understanding of malware types and families. Also, an understanding of the Windows operating system and its internals, knowledge of programming languages such as Assembly x86, C/C++, Python, and PowerShell, and practical knowledge of conducting basic malware analysis.

Code in Action

Code in Action videos for this book can be viewed at https://bit.ly/3cFEjBw

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781801079747_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "The first option is to use rundll32.exe, which allows the execution of a function contained within a DLL file using the command line".

Any command-line input or output is written as follows:

RUNDLL32.EXE <dllname>,<entrypoint> <argument>

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "In order to display the full results of the Jujubox sandbox, you need to click on the BEHAVIOR tab, click on VirusTotal Jujubox, and then Full report".

Tips or important notes

Appear like this.

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing, Nir Yehoshua, and Uriel Kosayev (the authors of the book) do not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorizations from appropriate persons responsible.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Section 1: Know the Antivirus – the Basics Behind Your Security Solution

In this first section, we’ll explore the basics of antivirus software, get to know the engines behind antivirus software, collect leads for research, and learn about the authors’ two bypass approaches in order to prepare us for understanding how to bypass and evade antivirus software.

This part of the book comprises the following chapters:

Chapter 1: Introduction to the Security Landscape

This chapter provides an overview of our connected world. Specifically, it looks at how cybercriminals in the cyber landscape are becoming more sophisticated and dangerous. It looks at how they abuse the worldwide connectivity between people and technology. In recent years, the damage from cyberattacks has become increasingly destructive and the majority of the population actually thinks that antivirus software will protect them from all kinds of cyber threats. Of course, this is not true and there are always security aspects that need to be dealt with in order to improve antivirus software's overall security and detections.

Many people and organizations believe that if they have antivirus software installed on their endpoints, they are totally protected. However, in this book, we will demonstrate – based on our original research of several antivirus products – why this is not completely true. In this book, we will describe the types of antivirus engines on the market, explore how antivirus software deals with threats, demonstrate the ways in which antivirus software can be bypassed, and much more.

In this chapter, we will explore the following topics:

Understanding the security landscape

In recent years, the internet has become our main way to transfer ideas and data. In fact, almost every home in the developed world has a computer and an internet connection.

The current reality is that most of our lives are digital. For example, we use the web for the following:

This means that anyone can find the most sensitive information, on any regular person, on their personal computer and smartphone.

This digital transformation, from the physical world to the virtual one, has also unfolded in the world of crime. Criminal acts in cyberspace are growing exponentially every year, whether through cyberattacks, malware attacks, or both.

Cybercriminals have several goals, such as the following:

Of course, when the main goal is money, there's a powerful motivation to steal and collect sellable information.

To deal with such threats and protect users, information security vendors around the world have developed a range of security solutions for homes and enterprises: Network Access Control (NAC), Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS), firewalls, Data Leak Prevention (DLP), Endpoint Detection and Response (EDR), antiviruses, and more.

But despite the wide variety of products available, the simplest solution for PCs and other endpoints is antivirus software. This explains why it has become by far the most popular product in the field. Most PC vendors, for example, offer antivirus licenses bundled with a computer purchase, in the hope that the product will succeed in protecting users from cyberattacks and malware.

The research presented in this book is based on several types of malicious software that we wrote ourselves in order to demonstrate the variety of bypass techniques. Later in this book, we will explore details of the malware we created, along with other known and publicly available resources, to simplify the processes of the bypass techniques we used.

Now that we have understood why organizations and individuals use antivirus software, let's delve into the malware types, malicious actors, and more.

Defining malware

Malware is a portmanteau of malicious software. It refers to code, a payload, or a file whose purpose is to infiltrate and cause damage to the endpoint in a few different ways, such as the following:

Over the years, many companies have developed antivirus software that aims to combat all types of malware threats, which have multiplied over the years, with the potential for harm also growing every single day.

Types of malware

To understand how to bypass antivirus software, it's best to map out the different kinds of malware out there. This helps us get into the heads of the people writing antivirus signatures and other engines. It will help us recognize what they're looking for, and when they find a malicious file, to understand how they classify the malware file:

Important Note

Malware variants and families are classified based not only on the main purpose or goal of the malware but also on its capabilities. For example, the WannaCry ransomware is classified as such because its main goal is to encrypt the victim's files and demand ransom, but WannaCry is also considered and classified as Trojan malware, as it impersonates a legitimate disk partition utility, and is also classified and detected as a worm because of its ability to laterally move and infect other computers in the network by exploiting the notorious EternalBlue SMB vulnerability.

Now that we have understood malware and its varieties, we should take a look at the systems created to guard against these intrusions.

Exploring protection systems

Antivirus software is the most basic type of protection system used to defend endpoints against malware. But besides antivirus software (which we will explore in the Antivirus – the basics section), there are many other types of products to protect a home and business user from these threats, both at the endpoint and network levels, including the following:

For example, a security engineer from a particular company can define within the company's EDR that if a file attempts to perform a change to the SQLServer.exe process, it will send an alert to the EDR's dashboard.