Bypass Antivirus Dynamic Analysis
Limitations of the AV model and how to exploit them
24 August 2014 18:55 2 messages
I Introduction.
« Antivirus are easy to bypass », « Antivirus are mandatory in defense in depth », «This Cryptor is FUD» are some of the sentence you hear when doing some researches on antivirus security.
I asked myself, hey is it really that simple to bypass AV? After some research I came (like others) to the conclusion that bypassing Antivirus consists in two big steps:
- Hide the code which may be recognized as malicious. This is generally done using encryption.
- Code the decryption stub in such a way it is not detected as a virus nor bypassed by emulation/sandboxing.
In this paper I will mainly focus on the last one, how to fool antivirus emulation/sandboxing systems.
I’ve set myself a challenge to find half a dozen of ways to make a fully undetectable decryption stub (in fact I found way more than that). Here is a collection of methods. Some of those are very complex (and most “FUD cryptor” sellers use one of these). Others are so simple I don’t understand why I’ve never seen these before. I am pretty sure underground and official virus writers are fully aware about these methods so I wanted to share these with the public.
If you wish to read more about this, the document can be downloaded in a PDF format
- BypassAvDynamics.pdf
Also in this section
11 July 2016 – My VBA Bot
1 Forum posts
Hi,
Your work has some overlap with the Research my colleague and I presented at Black Hat USA 2014 a couple of weeks ago. You can find our latest paper version here.
Cheers,
Arne
1. Bypass Antivirus Dynamic Analysis, 28 August 2014, 19:59, by Emeric Nasi
Great article thanks. With more AV detection methods!
It must be nice to assist to This kind of conference.
Regards,
Emeric