Bypassing Security Software

[NullByte]

Hi

I will talk about how easy is to bypass most security software and how you can protect yourself. The first thing is Digital Signature and then how to use delays to bypass different features.

If you search a little you can find tools that will copy the digital signature from a file to another. This is used with Backdoors (Remote Access Tools) and Botnets. If you like to download cracks or other "hacking tools" you may had this type of infection.

In this example I used FTB Launcher (a game) that doesn't have and Digital signature and I copied the Digital Signature from Comodo Internet Security.

Spoiler: Screen Shot

As you can see in the screenshot, it copied the SHA1 and the SHA256. The issue with Digital Signed files is that, there are a lot of security products that will not scan the file if the sample is "Signed" by a trusted company.

Products like HitmanPro (not the HitmanPro.Alert), Zemana, Reason and most Cloud AVs will not scan it or even if they scan it, they will look at the PE Header and see it "clean".

If you also use EXE Protectior, DE EVO, CodeLux Protector and other tools that will "protect" the code, you will have almost 100% chance that the file will bypass your security software.

Info: Most PUP/Adware are signed software that is why its so hard to detect them. Also, if you sign your malware with a driver signature you will have a higher chance of success.

Now, it comes to a the second part, delaying payload and using safe (clean files) to drop the payload.
As I said in the first part, signing malware is really easy (if you have the tools), if you also add a delay to the payload (more then 30 seconds) you will bypass the security software and there is a high chance that your security software will not say anything.

I will talk about the new epic Avast (this works with most security products too).
I've notice how Avast works and if you add more then 30 seconds delay the sample will infect the PC. How it works is like this: When you execute a new file avast will use DeepScreen and the new CyberCapture to get it, if the file is digital signed and you execute the avast will start looking at the file and since the "timeout is 25 seconds" and the payload will drop after 30 seconds the "online" analysis will say it's clean. If you have HIPS set on default (level 1) the sample will bypass with not warning, if you have it on high (level 3) the HIPS will ask you when the backdoor will auto-start.

The third part is using the first and the second techniques and inject the file in a safe file. This technique is very good because it uses all what I said above and a clean file.

In conclusion, if your security product doesn't check the files just uses VirusTotal or other services then there is a high chance that you will get infected.

This is just a short post about some techniques, if you like it I will make more. If you have any questions feel free to post below or send me a PM. If you work for a security company and you are interested in the tools send me a PM

 

[hjlbx]

Good infos... but Hitm\anPro does\will scan files with digital signatures during its default full-system scan; HitmanPro does not skip over files that are digitally signed. Using the Early Warning Scan, HitmanPro will detect digitally signed files that have recently appeared on a user's system - including ones published and digitally signed by Microsoft.

HitmanPro submits file hashes to the cloud.

Am I missing something ?

 

[Lord Ami]

Just asking - did you test F-Secure? DeepGuard should stay for lookout even after it lets file execute. So the artificial delay shouldn't hide the malware from DeepScreen. If you can, please check it

 

[NullByte]

Good infos... but Hitm\anPro does\will scan files with digital signatures during its default full-system scan; HitmanPro does not skip over files that are digitally signed. Using the Early Warning Scan, HitmanPro will detect digitally signed files that have recently appeared on a user's system - including ones published and digitally signed by Microsoft.

Am I missing something ?

it uses VirusTotal API, even if it finds it, it will not flag as malware.

Just asking - did you test F-Secure? DeepGuard should stay for lookout even after it lets file execute. So the artificial delay shouldn't hide the malware from DeepScreen. If you can, please check it

I don't know, it's hard to test every security software, I only tested "top" security products.

 

[Lord Ami]

I don't know, it's hard to test every security software, I only tested "top" security products.

Yeah, of course not But thanks for your test! Seems interesting!

 

[Duotone]

Products like HitmanPro (not the HitmanPro.Alert), Zemana, Reason and most Cloud AVs will not scan it or even if they scan it, they will look at the PE Header and see it "clean".

These happen only on-demand scans right?! It did happen to me once an on-demand scan by ZAM/MBAM/VT found it clean but upon execution ZAM blocked it as suspicious(its some CRACK/PATCH if I recall correctly).

 

[NullByte]

Yes, only on on-demand scanners. HP.A will block it, AppGuard, NVT EXE, and a few more. Zemana has very aggresive heuristics, if it didn't block on execution it blocks when the files are found (suspicious location), it depends on the payload.

 

[JM Safe]

This is an interesting thread. Thanks for sharing, but please test also other security products, it would be really interesting seeing their behaviour

 

[Deleted member 178]

That confirm what i was saying since ages : AV signatures-based model is obsolete , with Ai or without.

 

[NullByte]

That coonfirm what i was saying since ages : AV signatures-based model is obsolete , with Ai or without.

That's why I hate most security products and I find them useless.

 

[Logethica]

Excellent Post @NullByte
I don't understand why many security softs have a default (In this day & age) of NOT scanning files signed by a "Trusted Source"...
And both yourself and @Umbra rightfully point out the obvious flaws in the "Signature-based AV system"..
I do use Avast (as part of a layered security approach) and have never found a good reason to NOT have the HIPS @ Max-Settings..
If I HAD to make a choice between an AV + AM that relied on signature-based defence, or a combined HIPS + Anti-EXE approach, then I would pick the latter approach all day long.
I am very Interested in reading your future Threads/Posts

 

[NullByte]

Avast is not the issue, the issue is with the way security companies respond to new threats and how much money they invest. Most security companies have an auto-malware analysis, when they have 100,000 + samples a day you can't really look at all the files. If someones uses some type of "hack" to make a file FUD and to bypass the security software is not that easy for the security company do catch it (if the sample has a digital signature is even harder, look at the FinSpy and other malware like that). Also, most of the things I said are not new, even what cruelsister posts are not that new. BTW, cruelsister knows a few stuff from what i've seen, she's an important member of this community.

I'm a Linux user so I can only "recommend" you what I've seen it's good in the tests I do.
Free: Comodo Internet Security (/w custom settings), Qihoo 360 TSE with Comodo Firewall (/w custom settings), NVT ERP.
Paid: Comodo Internet Security (/w custom settings), Emsisoft Internet Security (/w custom settings), AppGuard.

I've see a lot of "hackers" using Sandboxie they love it. So, I guess Sandboxie too.

About future posts, I don't always have internet connection (I will use my phone to log) but I will try to post anything that will help someone in a way or another and I also wanna make some new friends.

Also, having an ad-blocker nowadays is a must (uBlock is my favorite, ADGuard is good too).

 

[Logethica]

Avast is not the issue, the issue is with the way security companies respond to new threats and how much money they invest. Most security companies have an auto-malware analysis, when they have 100,000 + samples a day you can't really look at all the files. If someones uses some type of "hack" to make a file FUD and to bypass the security software is not that easy for the security company do catch it (if the sample has a digital signature is even harder, look at the FinSpy and other malware like that). Also, most of the things I said are not new, even what cruelsister posts are not that new. BTW, cruelsister knows a few stuff from what i've seen, she's an important member of this community.

I'm a Linux user so I can only "recommend" you what I've seen it's good in the tests I do.
Free: Comodo Internet Security (/w custom settings), Qihoo 360 TSE with Comodo Firewall (/w custom settings), NVT ERP.
Paid: Comodo Internet Security (/w custom settings), Emsisoft Internet Security (/w custom settings), AppGuard.

I've see a lot of "hackers" using Sandboxie they love it. So, I guess Sandboxie too.

About future posts, I don't always have internet connection (I will use my phone to log) but I will try to post anything that will help someone in a way or another and I also wanna make some new friends.

Also, having an ad-blocker nowadays is a must (uBlock is my favorite, ADGuard is good too).

Great points
Comodo didn't want to install on my machine when I tried a few months ago
I have Sandboxie and uBlock (Love them both)
I also have Voodooshield in "Always ON" Mode.
Great,Thanks @NullByte

 

[jamescv7]

A loophole on AV analysis, digital signatures count as one of the factor to make threats bypass, so always deactivate trust signatures related settings.

An anti-exe powered by user decision must be enforced at all times.

It is like, the security guards (humans) will do light frisking inspection only without knowing that it might bring deadly weapons somewhere in the bag.

When incident occurred, that's the time to engage heavy inspection.

 

[hjlbx]

The reason the VT API doesn't detect a file that has had a digital signature copied and added - sometimes the file hash will change.

However three areas of a PE executable are supposed to be excluded from the hash computation:

• the Checksum in the optional Windows specific header. 4 bytes.
• the Certificate Table entry in the optional Windows specific header. 8 bytes.
• the Digital Certificate section at the end of the file. Variable length.

Sometimes copy and append digital signature still modifies the PE hash; it depends upon how it has been done.

You should check the hash of your file before and after adding the digital signature - just to make sure the checksum hasn't changed.

VT database uses file hashes - there is absolutely no consideration whatsoever of a PE's digital signature.

You can verify this fact directly with VT.

 

[cruelsister]

I like this guy.! Not that I would know about such things, but:

1). False signatures are indeed an issue, but as we can infer from hjlbx's post above may not be quite as straightforward as it at first seems. Things like collision attacks have been used by script kiddies, but a more insidious methods would be the setting up of a shell company, getting certs for it than pulsing out signed malware. When detected the company folds. Another method is the outright purchase of a browser extension, then recoding it with an added surprise included (Personally I think it is the height of insanity to use many extensions and/or apps). Finally acquiring the Private Key of a very high quality signer is ideal, but is difficult (unless you look really good in a skirt); but this would be reserved for targeted attacks.

Finally, for those that are exceptionally interested was this paper published last year that was concerning:

https://eprint.iacr.org/2015/967.pdf

2). Time to delay trojans do indeed work, but not against everything. Setting the trojan to drop instead of with the clock but with the initiation of something like the shutdown routine will prove more efficacious.

 

[hjlbx]

Digital Certificates = lick your thumb, dip it in a bottle of cyanide, put it in your mouth, and suck on it... well... maybe not so dramatic.

Digital Certs are just a small piece of the puzzle -- and in some ways within the same vein as obsolete AV signatures.

 

[jamescv7]

Double combination.

Problem on AV analysis and also issue to provide digital certificates because of poor verification process.

Not surprise nowadays why some security companies allegedly link to those rogue programs because of digital certificates which poorly manage.

 

[NullByte]

Double combination.

Problem on AV analysis and also issue to provide digital certificates because of poor verification process.

Not surprise nowadays why some security companies allegedly link to those rogue programs because of digital certificates which poorly manage.

poor verification process = this is the issue

 

[LabZero]

Talking about evasion techniques, let me say that in the industry of malware there are different kinds of people.
Some of them are specialized in creating malware, for example RAT that can connect itself to a remote server and It has many functions: It's able to get the hash of the password detecting an installed AV, read screenshots, activate the webcam recording a video of your session, capture the pressures on the keyboard and then a keylogger...
In short, a malcode with the only purpose to infect your pc and stay as much as possible

The creator of the RAT is part of this system and this is the vision that enables to grow the industry of the malware, because there are professional people who write malware as a job.

From the other side, regarding the signatures based products, the procedure to detect the malware is quite simple, it's sufficient to isolate the malware running a script that calculates the hash and add it to the anti malware database.

Then, there are specialized people about AV jumping: they study a binary, an executable trying to bypass the the antivirus. What they do is take the malware and a few dozen of anti-malware, loading and running the sample seeing how many of these anti-malware are bypassed...
If they realize that this sample is detected, they apply the code morphing.
It is easy to add a useless cycle or NOP in the binary so that the anti-malware is not able to recognize it...
In short, a malware crypt Its payload with a different key and change the code of the procedure of decrypting with the addition of NOP instructions, transposition of code, or unconditional jumps.
To unpack the payload from the routine of unpaking, It can be relied on only once, in this case, the payload is extracted in memory in a single step, or it can be invoked multiple times, when different parts of the payload are extracted in the memory at different times.

So, the use of the packer allow them to circumvent the techniques based on the signatures.

"Full Undetectable" malware is difficult to write...but not impossible.
Some of the above mentioned techniques and crypters often work but in a Linux job's environment, the situation is different: malware writers know Metasploit, msfpayload, msfencode, the use of Windows command prompt and Linux shell.
If they have advanced knowledge about bash and msfencode it's possible to create complex FUD.

PS: for those who may be interested and "chew" a bit of assembly, NOP (No OPeration) is an instruction that allows the execution unit of the pipeline to stop itself for N clock cycles (where N changes, depending on the processor used), as deducible from the name, it doesn't perform any operation.

Read more:

NOP - Wikipedia, the free encyclopedia