The Antivirus Hacker's Handbook E-Book

Table of Contents

Introduction

Overview of the Book and Technology

How This Book Is Organized

Who Should Read This Book

Tools You Will Need

What's on the Wiley Website

Summary (From Here, Up Next, and So On)

Part I: Antivirus Basics

Chapter 1: Introduction to Antivirus Software

What Is Antivirus Software?

Antivirus Software: Past and Present

Antivirus Scanners, Kernels, and Products

Typical Misconceptions about Antivirus Software

Antivirus Features

Summary

Chapter 2: Reverse-Engineering the Core

Reverse-Engineering Tools

Debugging Tricks

Porting the Core

A Practical Example: Writing Basic Python Bindings for Avast for Linux

A Practical Example: Writing Native C/C++ Tools for Comodo Antivirus for Linux

Other Components Loaded by the Kernel

Summary

Chapter 3: The Plug-ins System

Understanding How Plug-ins Are Loaded

Types of Plug-ins

Some Advanced Plug-ins

Summary

Chapter 4: Understanding Antivirus Signatures

Typical Signatures

Advanced Signatures

Summary

Chapter 5: The Update System

Understanding the Update Protocols

Dissecting an Update Protocol

When Protection Is Done Wrong

Summary

Part II: Antivirus Software Evasion

Chapter 6: Antivirus Software Evasion

Who Uses Antivirus Evasion Techniques?

Discovering Where and How Malware Is Detected

Summary

Chapter 7: Evading Signatures

File Formats: Corner Cases and Undocumented Cases

Evading a Real Signature

Evasion Tips and Tricks for Specific File Formats

Summary

Chapter 8: Evading Scanners

Generic Evasion Tips and Tricks

Automating Evasion of Scanners

Summary

Chapter 9: Evading Heuristic Engines

Heuristic Engine Types

Summary

Chapter 10: Identifying the Attack Surface

Understanding the Local Attack Surface

Incorrect Access Control Lists

Understanding the Remote Attack Surface

Summary

Chapter 11: Denial of Service

Local Denial-of-Service Attacks

Remote Denial-of-Service Attacks

Summary

Part III: Analysis and Exploitation

Chapter 12: Static Analysis

Performing a Manual Binary Audit

Summary

Chapter 13: Dynamic Analysis

Fuzzing

Summary

Chapter 14: Local Exploitation

Exploiting Backdoors and Hidden Features

Finding Invalid Privileges, Permissions, and ACLs

Searching Kernel-Land for Hidden Features

More Logical Kernel Vulnerabilities

Summary

Chapter 15: Remote Exploitation

Implementing Client-Side Exploitation

Server-Side Exploitation

Summary

Part IV: Current Trends and Recommendations

Chapter 16: Current Trends in Antivirus Protection

Matching the Attack Technique with the Target

Targeting Governments and Big Companies

Summary

Chapter 17: Recommendations and the Possible Future

Recommendations for Users of Antivirus Products

Recommendations for Antivirus Vendors

Summary

End User License Agreement

Pages

v

vii

ix

xix

xx

xxi

xxii

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

47

46

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

105

106

107

108

109

110

111

112

113

114

115

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

207

208

209

210

211

212

213

214

215

216

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

323

324

325

326

327

328

329

331

332

333

334

335

336

337

338

339

340

341

345

342

343

344

346

1

103

217

321

Guide

Cover

Table of Contents

Introduction

Part I: Antivirus Basics

Begin Reading

List of Illustrations

Chapter 1: Introduction to Antivirus Software

Figure 1.1 A false positive generated with Comodo Internet Security and the de facto reverse-engineering tool IDA

Chapter 2: Reverse-Engineering the Core

Figure 2.1 F-Secure for Windows library fm4av.dll as displayed in IDA

Figure 2.2 F-Secure for Linux library libfmx-linux32.so as seen in IDA

Figure 2.3 Importing symbols from Linux to Windows

Figure 2.4 Disassembly of Comodo for Linux library libPE32.so showing full symbols

Figure 2.5 How to disable the 360AntiHacker driver

Figure 2.6 The WinDbg debugger

Figure 2.7 Setting up kernel debugging on Windows 7 with bcdedit

Figure 2.8 Setting up debugging in VirtualBox

Figure 2.9 Ikarus t3 Scan running in Linux with Wine

Figure 2.10 A list of functions and disassembly of the scan_path function in the “scan” tool from Avast

Chapter 5: The Update System

Figure 5.1 The main GUI of Comodo Antivirus for Linux

Figure 5.2 Comodo offers an Update Virus Database option for the Linux GUI

Figure 5.3 Wireshark shows a trace of a signature's updating check [c05f003.eps]

Figure 5.4 Request made to the Comodo web servers to download updates

Figure 5.5 The recorded trace checking for new Comodo product files

Figure 5.6 XML file to update Comodo software for Linux

Figure 5.7 Tracing the download of the libSCRIPT.so component

Chapter 7: Evading Signatures

Figure 7.1 The AVC tool unpacking the Kaspersky daily.avc signatures file

Figure 7.2 Files and directories created after unpacking

Figure 7.3 Generic detection for uncovering some CVE-2010-3333 exploits

Figure 7.4 Pseudo-code for the _decode routine

Figure 7.5 Obfuscated JavaScript code

Chapter 8: Evading Scanners

Figure 8.1 FlyStudio malware disassembled code

Figure 8.2 IDA showing more disassembling from the FlyStudio malware

Figure 8.3 A partial function from FlyStudio

Figure 8.4 The main function's flow graph in FlyStudio

Figure 8.5 MultiAV home page

Figure 8.6 Antivirus results

Chapter 9: Evading Heuristic Engines

Figure 9.1 The heuristic functions in IDA

Figure 9.2 The Comodo HIPS engine without ASLR injected into Firefox

Figure 9.3 List of IRQLs

Chapter 10: Identifying the Attack Surface

Figure 10.1 Bitdefender Security Service without ASLR enabled for most libraries, as well as the main executable program

Figure 10.2 A set of three libraries without ASLR enabled, injected in the Firefox browser's memory space

Figure 10.3 No ACL is set for the KIS event object, and WinObj warns that anybody can take control of the object.

Figure 10.4 This is an example of the Panda process SrvLoad running as SYSTEM with the highest integrity level and without any ACL set. This vulnerability was reported by the author and fixed in 2014.

Figure 10.5 This list of functions is exported by the library pavshdl.dll.

Figure 10.6 This secret UUID can be used to disable the shield.

Chapter 11: Denial of Service

Figure 11.1 Slide from the “Breaking AV Software” talk at SyScan 2014 showing an antivirus program affected by the compression bombs bug

Figure 11.2 VirusTotal results showing time outs in two antivirus programs

Figure 11.3 VirusTotal error message trying to analyze a 32GB dummy file compressed with XAR

Figure 11.4 Proofs-of-concepts exploiting DoS bugs

Chapter 12: Static Analysis

Figure 12.1 The library libfm.so opened in IDA Pro

Figure 12.2 Find the code references to FMAlloc(uint).

Chapter 13: Dynamic Analysis

Figure 13.1 Final configuration of the Nightmare fuzzing suite

Figure 13.2 Starting a new fuzzing project in Nightmare

Figure 13.3 Finding samples with the Nightmare fuzzing suite

Figure 13.4 View your fuzzing statistics.

Figure 13.5 View your fuzzing results.

Chapter 14: Local Exploitation

Figure 14.1 Panda's shield prevented termination of a Panda process using the Task Manager.

Figure 14.2 Call graph of ProcProt!Func_0056

Figure 14.3 Security properties of the WebProxy.exe process

Figure 14.4 User interface of the RemoteDLL injector tool

Figure 14.5 Panda blocks your attempt to inject a DLL.

Figure 14.6 Panda is successfully owned.

Introduction

Welcome to The Antivirus Hacker's Handbook. With this book, you can increase your knowledge about antivirus products and reverse-engineering in general; while the reverse-engineering techniques and tools discussed in this book are applied to antivirus software, they can also be used with any other software products. Security researchers, penetration testers, and other information security professionals can benefit from this book. Antivirus developers will benefit as well because they will learn more about how antivirus products are analyzed, how they can be broken into parts, and how to prevent it from being broken or make it harder to break.

I want to stress that although this book is, naturally, focused on antivirus products, it also contains practical examples that show how to apply reverse-engineering, vulnerability discovery, and exploitation techniques to real-world applications.

Overview of the Book and Technology

This book is designed for individuals who need to better understand the functionality of antivirus products, regardless of which side of the fence they are on: offensive or defensive. Its objective is to help you learn when and how specific techniques and tools should be used and what specific parts of antivirus products you should focus on, based on the specific tasks you want to accomplish. This book is for you if any of the following statements are true:

You want to learn more about the security of antivirus products.

You want to learn more about reverse-engineering, perhaps with the aim of reverse-engineering antivirus products.

You want to bypass antivirus software.

You want to break antivirus software into pieces.

You want to write exploits for antivirus software.

You want to evaluate antivirus products.

You want to increase the overall security of your own antivirus products, or you want to know how to write security-aware code that will deal with hostile code.

You love to tinker with code, or you want to expand your skills and knowledge in the information security field.

How This Book Is Organized

The contents of this book are structured as follows:

Chapter 1

, “Introduction to Antivirus Software

”—Guides you through the history of antivirus software to the present, and discusses the most typical features available in antivirus products, as well as some less common ones.

Chapter 2

, “Reverse-Engineering the Core

”—Describes how to reverse-engineer antivirus software, with tricks that can be used to debug the software or disable its self-protection mechanisms. This chapter also discusses how to apply this knowledge to create Python bindings for Avast for Linux, as well as a native C/C++ tool and unofficial SDK for the Comodo for Linux antivirus.

Chapter 3

, “The Plug-ins System

”—Discusses how antivirus products use plug-ins, how they are loaded, and how they are distributed, as well as the purpose of antivirus plug-ins.

Chapter 4

, “Understanding Antivirus Signatures

”—Explores the most typical signature types used in antivirus products, as well as some more advanced ones.

Chapter 5

, “The Update System

”—Describes how antivirus software is updated, how the update systems are developed, and how update protocols work. This chapter concludes by showing a practical example of how to reverse-engineer an easy update protocol.

Chapter 6

, “Antivirus Software Evasion

”—Gives a basic overview of how to bypass antivirus software, so that files can evade detection. Some general tricks are discussed, as well as techniques that should be avoided.

Chapter 7

, “Evading Signatures

”—Continues where

Chapter 4

left off and explores how to bypass various kinds of signatures.

Chapter 8

, “Evading Scanners

”—Continues the discussion of how to bypass antivirus products, this time focusing on scanners. This chapter looks at how to bypass some static heuristic engines, anti-disassembling, anti-emulation, and other “anti-” tricks, as well as how to write an automatic tool for portable executable file format evasion of antivirus scanners.

Chapter 9

, “Evading Heuristic Engines

”—Finishes the discussion on evasion by showing how to bypass both static and dynamic heuristic engines implemented by antivirus products.

Chapter 10

, “Identifying the Attack Surface

”—Introduces techniques used to attack antivirus products. This chapter will guide you through the process of identifying both the local and remote attack surfaces exposed by antivirus software.

Chapter 11

, “Denial of Service

”—Starts with a discussion about performing denial-of-service attacks against antivirus software. This chapter discusses how such attacks can be launched against antivirus products both locally and remotely by exploiting their vulnerabilities and weaknesses.

Chapter 12

, “Static Analysis

”—Guides you through the process of statically auditing antivirus software to discover vulnerabilities, including real-world vulnerabilities.

Chapter 13

, “Dynamic Analysis

”—Continues with the discussion of finding vulnerabilities in antivirus products, but this time using dynamic analysis techniques. This chapter looks specifically at fuzzing, the most popular technique used to discover vulnerabilities today. Throughout this chapter, you will learn how to set up a distributed fuzzer with central administration to automatically discover bugs in antivirus products and be able to analyze them.

Chapter 14

, “Local Exploitation

”—Guides you through the process of exploiting local vulnerabilities while putting special emphasis on logical flaws, backdoors, and unexpected usages of kernel-exposed functionality.

Chapter 15

, “Remote Exploitation

”—Discusses how to write exploits for memory corruption issues by taking advantage of typical mistakes in antivirus products. This chapter also shows how to target update services and shows a full exploit for one update service protocol.

Chapter 16

, “Current Trends in Antivirus Protection

”—Discusses which antivirus product users can be targeted by actors that use flaws in antivirus software, and which users are unlikely to be targeted with such techniques. This chapter also briefly discusses the dark world in which such bugs are developed.

Chapter 17

, “Recommendations and the Possible Future

”—Concludes this book by making some recommendations to both antivirus users and antivirus vendors, and discusses which strategies can be adopted in the future by antivirus products.

Who Should Read This Book

This book is designed for individual developers and reverse-engineers with intermediate skills, although the seasoned reverse-engineer will also benefit from the techniques discussed here. If you are an antivirus engineer or a malware reverse-engineer, this book will help you to understand how attackers will try to exploit your software. It will also describe how to avoid undesirable situations, such as exploits for your antivirus product being used in targeted attacks against the users you are supposed to protect.

More advanced individuals can use specific chapters to gain additional skills and knowledge. As an example, if you want to learn more about writing local or remote exploits for antivirus products, proceed to Part III, “Analysis and Exploitation,” where you will be guided through almost the entire process of discovering an attack surface, finding vulnerabilities, and exploiting them. If you are interested in antivirus evasion, then Part II, “Antivirus Software Evasion,” is for you. So, whereas some readers may want to read the book from start to finish, there is nothing to prevent you from moving around as needed.

Tools You Will Need

Your desire to learn is the most important thing you have as you start to read this book. Although I try to use open-source “free” software, this is not always possible. For example, I used the commercial tool IDA in a lot of cases; because antivirus programs are, with only one exception, closed-source commercial products, you need to use a reverse-engineering tool, and IDA is the de facto one. Other tools that you will need include compilers, interpreters (such as Python), and some tools that are not open source but that can be freely downloaded, such as the Sysinternals tools.

What's on the Wiley Website

To make it as easy as possible for you to get started, some of the basic tools you will need are available on the Wiley website, which has been set up for this book at www.wiley.com/go/antivirushackershandbook.

Summary (From Here, Up Next, and So On)

The Antivirus Hacker's Handbook is designed to help readers become aware of what antivirus products are, what they are not, and what to expect from them; this information is not usually available to the public. Rather than discussing how antivirus products work in general, it shows real bugs, exploits, and techniques for real-world products that you may be using right now and provides real-world techniques for evasion, vulnerability discovery, and exploitation. Learning how to break antivirus software not only helps attackers but also helps you to understand how antivirus products can be enhanced and how antivirus users can best protect themselves.

Part I

Antivirus Basics

In This Part

Chapter 1:

Introduction to Antivirus Software

Chapter 2:

Reverse-Engineering the Core

Chapter 3:

The Plug-ins System

Chapter 4:

Understanding Antivirus Signatures

Chapter 5:

The Update System

Chapter 1Introduction to Antivirus Software

Antivirus software is designed to prevent computer infections by detecting malicious software, commonly called malware, on your computer and, when appropriate, removing the malware and disinfecting the computer. Malware, also referred to as samples in this book, can be classified into various kinds, namely, Trojans, viruses (infectors), rootkits, droppers, worms, and so on.

This chapter covers what antivirus (AV) software is and how it works. It offers a brief history of AV software and a short analysis of how it evolved over time.

What Is Antivirus Software?

Antivirus software is special security software that aims to give better protection than that offered by the underlying operating system (such as Windows or Mac OS X). In most cases, it is used as a preventive solution. However, when that fails, the AV software is used to disinfect the infected programs or to completely clean malicious software from the operating system.

AV software uses various techniques to identify malicious software, which often self-protects and hides deep in an operating system. Advanced malware may use undocumented operating system functionality and obscure techniques in order to persist and avoid being detected. Because of the large attack surface these days, AV software is designed to deal with all kinds of malicious payloads coming from both trusted and untrusted sources. Some malicious inputs that AV software tries to protect an operating system from, with varying degrees of success, are network packets, email attachments, and exploits for browsers and document readers, as well as executable programs running on the operating system.

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!

Lesen Sie weiter in der vollständigen Ausgabe!