Tuesday, September 20, 2011

Circumventing Antivirus via Transmutation

Researchers at Kumatori Accelerator-driven Reactor Test Facility (KART) (Economist article, if you subscribe) have discovered a way to forcibly decay radioactive waste (neptunium, plutonium, americium, curium, etc.) into less-lethal isotopes of elements that are only radioactive for years, instead of tens of thousands or tens of million years. Essentially, they slam radioactive waste with a neutron beam that adds mass to the radioactive waste, causing it to transmutate into another element, which in turn causes it to decay faster. This got me thinking, if you can slam an element with with a neutron beam to create a new element, well, maybe you can do the same thing to a file in order to avoid "pesky Anti-Virus"?read more


Well, it seems you can. A good example of this is Holy Father's Morphine. Morphine works by including its own PE loader. This enables it to put whole source image to the .text section of new PE file. It also contains a polymorphic engine which always creates absolutely different decryptor for the new PE file each time Morphine is run. Morphine was released in March of 2004, and the major Antivirus companies did not have a method of generically detecting "Morphined" executables until Q4 2005. The private version of Morphine still creates verisons of binaries that are undetectable to every Antivirus maker on the market.

Other ideas are simply to rearrange the executable so that it does essentally "the same thing", but modify the underlying instructions of the binary. An example would be to move the value in the edx register into the eax register. Typically, the program would do a mov edx, eax instruction to accomplish this. Well, a push eax followed by a pop edx will do effectively the same thing as a mov edx,eax --- take the value in edx and put it into eax. You see where I am going here, we can totally modify the static signature of the binary in this process. But, does it work....

....Well, not really. If I take a 3 byte instruction (mov edx, eax) and replace it with two 2 byte instructions (push eax and pop edx), I have changed the offset within the program by one byte. This means that every jump, every call in the program will be off by one byte, meaning the program will no longer work. Three possible solutions to this problem:

1. Only substitute equal size instructions
2. Recalculate all jumps and calls after the insertion or deletion of the total number of bytes.
3. Write our own trojan/virus, or whatever we are trying to accomplish (not the focus of this article though)

Ok, well if we do some googling, someone has already attempted #1. A guy named z0mbie already wrote a program called code pervertor that did this. Unfortunately, it didnt work very well as the heueristic engine in most AVs can catch these simple modifications. For #3, go ahead a create your own trojan or virus. But this is not an option if you aren't a trojan writer or programmer, or dont have the time to learn.

For #2, we actually find that another guy, tibbar, has created a very cool program to do just this. He calls his program CodeCrypter. He was nice enough to email me a verision with source to play with. You can see the result of tibbar's CodeCrypter here. You can see in the first column the address of the instruction, in the next, is the original instruction, and in the last is the new instruction(s) . Well, how does it work? Pretty well, most AV will be defeated by it. If you take a standard program you know AV will freak out out (Hacker Defender) and send it over to one of many sites that will check a binary against all 20 AV companies (I use virustotal.com), you will get a report similar to this:

This is a report processed by VirusTotal on 04/05/2006 at 00:03:33 (CET) after scanning the file "hxdef100.exe" file.
Antivirus Version Update Result
AntiVir 6.34.0.14 04.04.2006 BDS/HacDef.073.B.1
Avast 4.6.695.0 04.03.2006 Win32:Hacdef-G
AVG 386 04.04.2006 BackDoor.Generic.XPG
Avira 6.34.0.54 04.04.2006 BDS/HacDef.073.B.1
BitDefender 7.2 04.04.2006 Backdoor.Hacdef.AE
CAT-QuickHeal 8.00 04.04.2006 Backdoor.HacDef.ae
ClamAV devel-20060202 04.04.2006 Trojan.HacDef.073.B
DrWeb 4.33 04.04.2006 BackDoor.HackDef.134
eTrust-InoculateIT 23.71.119 04.04.2006 no virus found
eTrust-Vet 12.4.2148 04.04.2006 Win32/HacDef.E
Ewido 3.5 04.04.2006 Backdoor.HacDef.ae
Fortinet 2.71.0.0 04.04.2006 W32/HacDef.AE!tr
F-Prot 3.16c 04.04.2006 security risk named W32/Hackdef.FI
Ikarus 0.2.59.0 04.04.2006 Backdoor.Win32.HacDef.084
Kaspersky 4.0.2.24 04.04.2006 Backdoor.Win32.HacDef.073.b
McAfee 4733 04.04.2006 HackerDefender.gen.c
NOD32v2 1.1471 04.04.2006 Win32/HacDef
Norman 5.90.15 04.04.2006 W32/Hacdef.CM
Panda 9.0.0.4 04.04.2006 Bck/Hacdef.ED
Sophos 4.04.0 04.04.2006 Troj/HacDef-Fam
Symantec 8.0 04.04.2006 Backdoor.HackDefender
TheHacker 5.9.7.124 04.03.2006 Trojan/hackdef.d3
UNA 1.83 04.04.2006 Backdoor.Hacdef
VBA32 3.10.5 04.04.2006 Backdoor.Win32.HacDef.ae


Note: The only Antivirus that doesnt find Hacker Defender is CA's eTrust. I can't believe anyone would attempt selling something even called "Antivirus" if it didnt at least find Hacker Defender. If you have eTrust installed, it is just wasting processor cycles, you are better off virtually folding protiens or something.

Anyway, if we run the binary through tibbar's code cryptor, we get much better results:

This is a report processed by VirusTotal on 04/05/2006 at 00:20:29 (CET) after scanning the file "hxdef100.exe" file.
Antivirus Version Update Result
AntiVir 6.34.0.14 04.04.2006 no virus found
Avast 4.6.695.0 04.03.2006 no virus found
AVG 386 04.04.2006 no virus found
Avira 6.34.0.54 04.04.2006 no virus found
BitDefender 7.2 04.04.2006 MemScan:Backdoor.Hacdef.AE
CAT-QuickHeal 8.00 04.04.2006 (Suspicious) - DNAScan
ClamAV devel-20060202 04.04.2006 no virus found
DrWeb 4.33 04.04.2006 no virus found
eTrust-InoculateIT 23.71.119 04.04.2006 no virus found
eTrust-Vet 12.4.2148 04.04.2006 no virus found
Ewido 3.5 04.04.2006 no virus found
Fortinet 2.71.0.0 04.04.2006 suspicious
F-Prot 3.16c 04.04.2006 no virus found
Ikarus 0.2.59.0 04.04.2006 Backdoor.Win32.HacDef.084
Kaspersky 4.0.2.24 04.04.2006 Backdoor.Win32.HacDef.073.b
McAfee 4733 04.04.2006 no virus found
NOD32v2 1.1471 04.04.2006 a variant of Win32/HacDef
Norman 5.90.15 04.04.2006 no virus found
Panda 9.0.0.4 04.04.2006 Suspicious file
Sophos 4.04.0 04.04.2006 no virus found
Symantec 8.0 04.04.2006 no virus found
TheHacker 5.9.7.124 04.03.2006 no virus found
UNA 1.83 04.04.2006 no virus found
VBA32 3.10.5 04.04.2006 Backdoor.Win32.HacDef.ae


The only "big name" Antivirus to discover the modified program is Kaspersky. All of the big guns, Symantec, McAfee, Sophos, Clam-AV are circumvented! Of course eTrust likely thinks this new version of the binary is winword.exe or something. ;)

So, why is it detected at all? Well, the version of CodeCrypter that I used retained the same OEP (original entry point). I suspect if this was randomized, all AV would be circumvented.

No comments:

Post a Comment