Detection Methods Commonly Used by AV Software
Checksum Based Detection:
AV companies have databases that they use to identify known viruses more easily. Of course, since the data size of the hash signature of an average file will be much smaller than the file itself, it will be easier to both store them in the database and transfer them. In this way, AV software calculates the hash checksum of a file and compares it with those in the database. It can immediately tell whether it is a previously known virus or not.
Behavior Based Detection:
Since the checksum-based detection method is ineffective, especially against newly released viruses, modern AV software also offers a behavior-based detection method. The purpose of this is to understand whether the executable files are harmful or not by running them in the virtual environment of the AV software and examining their behavior before running them on the computer. The behaviors examined are generally whether the program in question is extracting a file somewhere, trying to create or modify a registry key, etc. Thus, the AV software can detect whether the program in question is a virus or not, before the program runs on the computer and damages the computer.
Bypassing Methods
Make Viruses Not in EXE Form:
If you make a virus in script form instead of a directly executable virus such as EXE, for example using perl or python, interpreters must be installed on the computer for these scripts to run, and if the sandbox system of the AV software that is tried to be bypassed is not set up well, it cannot run the scripts in question and analyze their behavior, and also Some AV software have white lists that they set to prevent them from being touched, and since the non-EXE viruses in question will run through an interpreter, the behavior of the virus will actually be done by those interpreters, that is, your virus script or your java virus that will run on the java virtual machine is just a list of commands given to the interpreter or JVM. Therefore, if the interpreter or JVM in question is in the white list, you have already directly bypassed the AV software.
You must be able to understand whether the virus you will create is running in a VM:
By using native code in the source code of your virus, you can make functions to understand whether the virus is running in the virtual machine or the real environment, which can enable you to bypass the sandbox detection system of AV software. For example, if the virus is running in the virtual machine, it will think that it is in the sandbox and perform an innocent behavior such as performing the 2 + 2 operation, and if it is in the virtual machine If not, it performs normal virus functions.
There is JNA (Java Native Access) library so that we can use native code in Java.
Download Link: https://github.com/java-native-access/jna
There are 2 ways we can do this test.
1) Things we need to check;
–VME artifacts in processes, file system or registry
–VME artifacts in memory
–VME-specific virtual hardware
–VME-specific processor commands and features
2) We can use the non-standard x86 commands coming from the virtualization software to see if we are getting any errors. The logic here is that if the program gets an error when it uses these commands, it is in the real environment because the commands in question will only run on the virtual machine.
Another test method is known as “The Red Pill” and was performed by Joanna Rutkowska in November 2004. The logic of this method is more linear and SIDT runs a single machine language command called “Store Interrupt Descriptor Table”, but we will use the second way, that is, the commands that will read the values set by the VM visitor tools.
2. Example Usage of the Road:
First we need to make a dll file with the following C++ source code.
AV Software BYPASS Techniques
To compile this, you need to download Visual Studio 2005 (or higher) and Microsoft Platform SDK 2003.
Create a new DLL project, then copy and paste the above code into the main CPP file and build. Now the dll file we have has the function required to control the virtual environment, so all we need to do is call this function in our java virus.
Create VmCheck.java file and paste the following code
AV Software BYPASS Techniques
This will be our VmCheck interface, then create the Test.java file and paste the code below
AV Software BYPASS Techniques
When we run test.java, it will tell us whether it is running in VMWare, virtual pc or real environment.
Prefer Making Malware Scripts That Can Change Its Source Code:
The source code of script files is also the only thing that determines the hash signature of that file, so things like changing the name of a variable in the source code or adding 1 extra line of code will also change the hash signature of your script file in question, and we can use this to bypass the checksum-based scanning method.
Example Usage:
Let's imagine that we have a bat virus, for example, its features are as follows; Creating a registry key to restart itself with the computer, copying itself to the startup folder of other computers via the local network, and finally replacing other files in the system with itself.
The source code below belongs to such a virus.
AV Software BYPASS Techniques
If this virus becomes popular, AV software can easily detect it since there will be a hash signature in the databases used by AV software. In other words, we should add a new feature to the virus and ensure that it changes its hash signature every time it runs.
Since the virus in question here is not an executable file but a simple bat script, and since the commands in bat scripts are not compiled but implemented line by line, it is very simple to achieve this. That is, if the script writes random letters at the end of the codes every time it runs, for example, the hash signature will also change because the source code will have changed.
AV Software BYPASS Techniques
As you can see above, we have added "echo abc >> service.bat" in the 2nd line to our code and ":hashchanger" and an empty line in the last 2 lines, which means that every time the virus runs, before running the virus functions, the next line after the ":hashchanger" line in the source code will be added. will write “abc” on the empty line (the name of the bat file in the example is service.bat).
Test:
Before first run, the crc-32 value of the file is 5BD129F0 as follows
AV Software BYPASS Techniques
As you can see below, with the changed a.zip file after the 1st run, the crc-32 value of the virus becomes 35724FE0.
AV Software BYPASS Techniques
After the 4th execution, "abcabcabcabc" is written at the end in the source code of the virus and the crc-32 value becomes A3E64EAE
AV Software BYPASS Techniques
As you can see below, Windows Defender does not detect the virus like popular AV software, because thanks to this simple method, it can no longer be said that there is a definitive hash signature for the virus.
AV Software BYPASS Techniques
Resources:
https://stackoverflow.com/questions/18122711/how-do-i-check-if-my-java-program-is-running-in-a-virtual-machine
https://stackoverflow.com/questions/35587412/how-this-batch-worm-works